Wireshark Commands
Basics
- Live packet capture analysis tool
- Supports command line tools including TShark, dumpcap, SSHdump
## Monitor Mode to capture exclusively raw wireless frames
sudo ip link set wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ip link set wlan0 up
## Channel hopping script for Wireshark
for channel in 1 6 11 2 7 10 3 8 4 9 5
do
iw dev wlan0mon set channel ${channel}
sleep 1
done
## Alternative channel hopping
sudo airodump-ng wlan0mon
## Saving and Exporting Packets
File > Export Specified Packets > [name].pcap
## Display Filters
Analyze > Display Filter Expression
wlan.fc.type == 2 # Frame Control for data frames only
## Capture Filters (Berkeley Packet Filters)
not subtype beacon # Prevent beacon frame noise
(wlan addr1 3A:30:F9:0F:E1:95) or (wlan addr2 3A:30:F9:0F:E1:95) or (wlan addr3 3A:30:F9:0F:E1:95) or (wlan addr4 3A:30:F9:0F:E1:95) # Filtering for a single device (may have between 1-4 MAC addresses)
not type control # Remove control frame noise like RTS/CTS
not subtype probe-req
not subtype probe-resp
# Wireshark Command-Line Interface
sudo wireshark --help
sudo wireshark -D # Display interfaces
sudo wireshark -i wlan0mon -k # Automatic capture
sudo wireshark -i wlan0 -I -k # Add monitor mode
sudo wireshark -i 4 -I -k # Use index from display interfaces
sudo wireshark -i wlan0mon -k -f "not subtype beacon" # Add capture filter
sudo wireshark -i wlan0mon -k -s 60 # Capture first 60 bytes of each packet
wireshark wifi.pcap # Open pcap files
# Remote Packet Capture
sudo tcpdump -i wlan0mon -w - -U # output to stdout as each packet arrives rather than wait for system buffer
sudo dumpcap -w - -P -i wlan0mon
sudo tshark -w - -i wlan0mon
# Understanding named and unnamed pipes
ls /var/log | more # unnamed pipe
sudo tcpdump -U -w - -i wlan0mon | wireshark -k -i - # tcpdump input for wireshark
mkfifo /tmp/named_pipe # create first in first out named pipe
sudo wireshark -k -i /tmp/named_pipe # OR -->
Capture > Options > Manage Interfaces > Create New Pipe
sudo tcpdump -U -w - -i wlan0mon > /tmp/named_pipe
ssh root@10.11.0.196 "sudo -S tcpdump -U -w - -i wlan0mon" | sudo wireshark -k -i - # Remote SSH to local stdout and then pipe to wireshark OR -->
In Wireshark: Cog wheel next to SSH remote capture: sshdump
Remote SSH server address + port
Enter authentication details + enter remote capture command # sudo dumpcap -w -
Other Wireshark links:
- Coloring Rules: https://wiki.wireshark.org/ColoringRules
- Apply as Column for channels (Analyze > Apply as Column)
- Capture snaplen (Snapshot length)
- IEEE 802.11 Preferences: Edit > Preferences
- Decryption of WEP and WPA1/2 (Edit > Enable Decryption)
- WEP key aa:bb:cc:dd:ee
- WPA-PWD passphrase:essid
- WPA-PSK hexadecimal pairwise key
- Decrypted packets canβt be exported, may fail if too many associations, and must require a full 4-way handshake
- WLAN Statistics
- Wireless > WLAN traffic