![]() ![]() You have already chased packet loss in one of your previous questions, but that was a decrypted data packet. What do you think will happen when your capture system misses an EAPOL frame? Packet loss is a big issue with wireless networks, so your whole scheme will cease to work until the next plain text EAPOL handshake comes through cleanly. If it works, this capture scheme falls into the category of 'just because you can doesn't mean you should'. I'm not sure it will meet your needs but it is a start - it may only work on capture files already collected, not decrypt -> filter -> store. You are going to have to decrypt prior to filtering. But as I've already said, I might not know all potential users' MACs since not all clients might be connected. Using wlan host results in a more stable capture. However, if I don't use any capture filter, or for example drop beacons only ( wlan != 0x80), I often see "TCP previous segment not captured" and "TCP ACKed unseen segment". ![]() ![]() Users might connect and disconnect at any time so I don't know their MACs beforehand. For a reliable estimate, statistics should be gathered for a few hours / a day. The goal is to monitor which unsecured HTTP sites nearby users of some AP of a particular channel visit. What options do I have? Or rather what filters might I use to capture as little irrelevant packets (not HTTP or not EAPOL) as possible in WPA network? Tshark -i wlan0mon -f "ether proto 0x888e or tcp port 80" -w tshark.pcapīut tcp port 80 filter works well only in open wifi. I want to capture HTTP traffic of WPA/WPA2 secured network through Alfa adapter, put in a monitor mode, Since, without any capture filter, file size grows quite fast, I want to save only HTTP and EAPOL handshakes to be able to decrypt HTTP packets. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |