# Wifi Capture Filters ### WPA2 Networks * identify a network that is using WPA2-PSK ``` wlan.tag.number == 221 or wlan.tag.number == 48 ``` ### WPA2 PMKID * PMKID is a unique, per client key identifier found in the first EAPOL frame * Contained in optional RSN IE for AP roaming * Assigned at the time of joining a network to track with PMK should be used for the network * The PMKID is used to identify to the AP which PMK should be used for the newly roamed client. ``` wlan.rsn.ie.pmkid # OR wlan.tag.number eq 221 ``` ### WPS Detection * We can see if an AP supports WPS, allowing for WPS attacks ``` wps.wifi_protected_setup_state eq 0x02 ``` ### WEP Networks * Per Wigle.net as of 2024, WEP networks make up less than 5% of all wireless networks, however they can still be found! * In every WEP packet is an: * initialization vector * key index number * integrity check value. * Display only WEP encrypted data packets ``` wlan.wep.iv ``` ### BSSID * Filtering on BSSIDs ``` !wlan.bssid eq 58:6d:8f:07:4e:8d wlan.bssid eq 58:6d:8f:07:4e:8d ``` ### Handshakes * To filter for four-way handshake packets in Wireshark ``` eapol ``` * To filter for four-way handshake packets in tcpdump or to set a capture filter to only grab four-way handshake packets. ``` ether proto 0x888e ``` ### Beacons * wireshark filter for beacon frames ``` wlan.fc.type_subtype == 0x0008 ``` ### Management Frames * wireshark filter for management frames ``` wlan.fc.type == 0 ``` ### Probe Requests * Find clients looking for SSID names. Useful if you are looking to stand up an Evil Twin and would like a specific client to connect to you. * Probe requests can have privacy implications. If you capture SSID names and they are unique, you are able to query to potentially find home locations/work locations ``` (wlan.fc.subtype == 4) && (wlan.fc.type == 0) # filter out probe requests !(wlan.fc.subtype == 4) && !(wlan.fc.type == 0) ``` ### WPA3 PSK networks * We can identify these networks in a wireshark pcap by filtering off the Auth Key Management suite in use ``` wlan.fc.type_subtype == 0x0008 && wlan.rsn.akms == 0x00FAC08 ``` * above AKMS identifies the most common key type in use GCMP-128 ### Find Data packets with no Frame Body Encryption * Encryption can still be used at the application layer i.e. TLS * Can catch protocols that are not encrypted ``` wlan.fc.protected == 0 && wlan.fc.type == 2 ``` ### WPA3 Transition networks * wireshark filter for WPA3 transition networks. They will have to broadcast two cipher suites at once ``` wlan.fc.type_subtype == 0x0008 && wlan.rsn.akms == 0x000FAC02 && wlan.rsn.akms == 0x000FAc08 ``` * `0x000FAC02` == WPA2 * `0x000FAC08` == WPA3 ### Tcpdump no Beacons / Control frames ``` tcpdump -i wlan0mon -s 0 -n -w out.pcap 'not type mgt subtype beacon and not type ctl' ``` * capture the whole packet with `-s 0` * capture everything that are not beacon frames + control frames (loud) * generally 10 beacon frames a second from each AP. If you are in range of 20 APs that can get rough quickly on pcap size * Great assessment tcpdump filter for assessments on smaller devices like a Pi --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/wifi-bluetooth-zigbee-sdr-smartcards/wifi-capture-filters.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.