Wifi Capture Filters

WPA2 Networks

identify a network that is using WPA2-PSK

wlan.tag.number == 221 or wlan.tag.number == 48

WPA2 PMKID

PMKID is a unique, per client key identifier found in the first EAPOL frame
Contained in optional RSN IE for AP roaming
Assigned at the time of joining a network to track with PMK should be used for the network
The PMKID is used to identify to the AP which PMK should be used for the newly roamed client.

wlan.rsn.ie.pmkid
# OR
wlan.tag.number eq 221

WPS Detection

We can see if an AP supports WPS, allowing for WPS attacks

wps.wifi_protected_setup_state eq 0x02

WEP Networks

Per Wigle.net as of 2024, WEP networks make up less than 5% of all wireless networks, however they can still be found!
In every WEP packet is an:
- initialization vector
- key index number
- integrity check value.
Display only WEP encrypted data packets

wlan.wep.iv

BSSID

Filtering on BSSIDs

!wlan.bssid eq 58:6d:8f:07:4e:8d
wlan.bssid eq 58:6d:8f:07:4e:8d

Handshakes

To filter for four-way handshake packets in Wireshark

eapol

To filter for four-way handshake packets in tcpdump or to set a capture filter to only grab four-way handshake packets.

ether proto 0x888e

Beacons

wireshark filter for beacon frames

wlan.fc.type_subtype == 0x0008

Management Frames

wireshark filter for management frames

wlan.fc.type == 0

Probe Requests

Find clients looking for SSID names. Useful if you are looking to stand up an Evil Twin and would like a specific client to connect to you.
Probe requests can have privacy implications. If you capture SSID names and they are unique, you are able to query https://wigle.net to potentially find home locations/work locations

(wlan.fc.subtype == 4) && (wlan.fc.type == 0)
# filter out probe requests
!(wlan.fc.subtype == 4) && !(wlan.fc.type == 0)

WPA3 PSK networks

We can identify these networks in a wireshark pcap by filtering off the Auth Key Management suite in use

wlan.fc.type_subtype == 0x0008 && wlan.rsn.akms == 0x00FAC08

above AKMS identifies the most common key type in use GCMP-128

Find Data packets with no Frame Body Encryption

Encryption can still be used at the application layer i.e. TLS
Can catch protocols that are not encrypted

wlan.fc.protected == 0 && wlan.fc.type == 2

WPA3 Transition networks

wireshark filter for WPA3 transition networks. They will have to broadcast two cipher suites at once

wlan.fc.type_subtype == 0x0008 && wlan.rsn.akms ==  0x000FAC02 && wlan.rsn.akms == 0x000FAc08

0x000FAC02 == WPA2
0x000FAC08 == WPA3

Tcpdump no Beacons / Control frames

tcpdump -i wlan0mon -s 0 -n -w out.pcap 'not type mgt subtype beacon and not type ctl'

capture the whole packet with -s 0
capture everything that are not beacon frames + control frames (loud)
- generally 10 beacon frames a second from each AP. If you are in range of 20 APs that can get rough quickly on pcap size
Great assessment tcpdump filter for assessments on smaller devices like a Pi

PreviousWifi/Bluetooth/ZigBee/SDR/SmartCards NextBluetooth Basics

Last updated 1 year ago

hashtagWPA2 Networks

hashtagWPA2 PMKID

hashtagWPS Detection

hashtagWEP Networks

hashtagBSSID

hashtagHandshakes

hashtagBeacons

hashtagManagement Frames

hashtagProbe Requests

hashtagWPA3 PSK networks

hashtagFind Data packets with no Frame Body Encryption

hashtagWPA3 Transition networks

hashtagTcpdump no Beacons / Control frames

WPA2 Networks

WPA2 PMKID

WPS Detection

WEP Networks

BSSID

Handshakes

Beacons

Management Frames

Probe Requests

WPA3 PSK networks

Find Data packets with no Frame Body Encryption

WPA3 Transition networks

Tcpdump no Beacons / Control frames