As those who have studied our Wireless Profile (available from the Profile Repository) know, there are a number of great display filters used to hunt down issues on Wireless LAN's. For example, when you see a lot of Disassociations and Deauthentications, there may be trouble brewing within the WLAN. Perhaps those events are being caused by a malicious source, and not the Access Point.
On a recent troubleshoot, we wanted to only capture when those events occurred, so instead of using a display filter, we wanted to use a capture filter.
Here is how I solved the problem. I used T-Shark.
To start, I openned Windows Powershell (I am trying to teach myself to use Powershell more than CMD, but like anyone else who has used Microsoft since before Windows, I struggle!) and with my AirPcap interface plugged in checked to make sure I could see the interface. You will see below that first I changed directory to the Wireshark program directory (in Powershell you have to put the command in quotes when there is a 'space' in the path), then I ran T-Shark to display the current interfaces (again a Powershell thing, you have to start the command with './' tyo get it to execute):
We clearly see that it is the first interface in the list.
Now we can issue the following command:
tshark -i 1 -f "subtype deauth or subtype disassoc"
The result (I let it run for a little while, CTRL-C will stop):
How cool is that?? We can quickly see the MAC addresses involved (they should match systems I am expecting to send these packets, else I have an intruder).
There is so much more you can do with T-Shark using this type of capture filter procedure. Keep in mind this is Berkeley Packet Filter (BPF) syntax and a good reference for the syntax can be found here.
To see some of our other T-Shark articles - look here.
Let us know what other clever T-Shark uses you come up with.