TCPDUMP
(-i) interface (-w) output file (- for STDOUT) (-U) output each packet as it arrives
1
sudo tcpdump -i wlan0mon -w - -U
DUMPCAP
(-P) output data on pcap format
1
sudo dumpcap -w - -P -i wlan0mon
TSHARK
1
sudo tshark -w - -i wlan0mon
TSHARK EAP 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# show packets in a file
sudo tshark -r wpa-eap-tls.pcap
# show captured packets applying a filter for packets containing certificates exchanged during handshaek
sudo tshark -r wpa-eap-tls.pcap -Y "tls.handshake.certificate"
# show all data (-x)
sudo tshark -r wpa-eap-tls.pcap -Y "tls.handshake.certificate" -x
# show all fields in capture files (the ones filtered with -Y)
tshark -r b64.pcap -Y "tls.handshake.certificate" -T pdml
# show a specific field (in this case, the certificate)
tshark -r b64.pcap -Y "tls.handshake.certificate" -T fields -e "tls.handshake.certificate"
# full plaintext dump of packet (the same that you can see on wireshark)
tshark -nr b64.pcap -2 -R "ssl.handshake.certificate" -V
# in JSON format, easier to read:
tshark -nr b64.pcap -2 -R "ssl.handshake.certificate" -T json -V
Piping packets to wireshark
1
sudo tcpdump -U -w - -i wlan0mon | wireshark -k -i -
SSH Remotely command
1
ssh root@10.11.0.196 "sudo -S tcpdump -U -w - -i wlan0mon" | sudo wireshark -k -i -
tshark eap filters ↩