In the past we have written a couple articles on using tshark to strip WPA capture files down to a specific ESSID or SSID but in some cases it can be more useful to strip the capture down by BSSID or MAC address of the WAP. Isolating packets by BSSID or WAP MAC address is useful in a scenario where a wireless deployment has numerous WAP’s and you have captured a specific SSID’s traffic from more than one WAP. Below is information on how to strip down a capture file based on BSSID and information on capture size before stripping the file down.
It is very common when obtaining wireless network handshakes to end up with a huge capture(.cap or .pcap typically) file. Previously purehate wrote this article on filtering out SSID specific EAPOL packets from a capture file but if you wanted to keep any and all packets related to a specific SSID including data packets, beacon frames, etc. the below tshark command will accomplish that. This is very similar to the previous article but will provide more data for the user and still slim down a capture file if you had packets from multiple SSID’s.
Typically when I need to use tshark I do so on a Linux server however there are times where it is convenient to have tshark available on my Windows 7 laptop. The TShark application is installed with Wireshark so installing TShark is very easy using the Wireshark GUI intsaller on Windows. One thing that makes tshark more useful is adding the tshark.exe executable to your PATH on Windows so you can open a command prompt and use TShark from any directory. Follow the directions below to first install Wireshark and then to add the directory that includes tshark.exe to your Windows 7 PATH.
A while ago I wrote a short tutorial on how to strip down a wireless capture which contained a wpa handshake so that only eapol packets and beacon frames where left. I have since found a little bit better way to do it so I decided to make a new post. In the previous article I showed how to strip by wlan.mgt frames containing the mac address. The problem with this is that it strips out lots of other packets which some programs use to check for ESSID. I looked into the issue some more and found a way to strip just by essid.
I use tshark sometimes to strip down packet captures based on specific variables and needed to install tshark on a CentOS Linux server I recently built for various development tasks. The problem is that when attempting to install tshark using yum it returned an error because there was no package named tshark available in any of the yum repositories I had configured.