Jump to content

Wireshark filter for _possible_ UDP unicast packets in encrypted wifi traffic


Recommended Posts

I've come across an interesting security-through-obscurity feature in a wifi device from a well known hardware manufacturer.

I've created a small application that demonstrates how the underlying data being transmitted can be recovered.

I'm using tshark to capture the data I need and currently I'm capturing all wifi frames that I can see in my vicinity.

But before I publish any details of the approach I'd like to narrow my tshark capture to filter out frames that can't possibly be relevant.

Assume all wifi networks in the vicinity are protected with WPA2, WPA or WEP and that I do not have the necessary keys to decrypt any of the traffic (nor do I need or intend to try any key recovery for what I'm doing).

OK - so given this I can only say so much about each frame.

So can someone suggest a filter that will capture the minimum amount of frames while still retaining all frames that could potentially be the result of the transmission of non-empty UDP unicast packets.

At the very least I can filter out wifi probes etc. but I'm sure it's possible to do way better.

My current demonstration application works fine trawling through all frames but I'd like to make it faster by not capturing frames that can't possibly be relevant.

If you're asking yourself how good this security-through-obscurity feature can be if it can be side stepped by someone who clearly doesn't know much about wireshark or the characteristics of wifi frames then you'd be right in thinking "not very good at all."

Still the approach being taken by this manufacturer is interesting and I'd like to document it.



Link to comment
Share on other sites

This should get you close.

In most cases RTP port numbers are dynamically assigned. You can use something like the following which limits the capture to UDP, even source and destination ports, a valid RTP version, and small packets. It will capture any non-RTP traffic that happens to match the filter (such as DNS) but it will capture all RTP packets in many environments.

  • udp[1] & 1 != 1 && udp[3] & 1 != 1 && udp[8] & 0x80 == 0x80 && length < 250

Via: http://wiki.wireshark.org/CaptureFilters

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...