Friday, January 24, 2020

USB 802.11 chipset table

802.11AC USB adapters and their chipsets. I got tired of having to look this information up so I made a table.

Device Manufacturer Model Chip Manufacturer Chip Reference
Asus USB-AC53 Nano Realtek RTL8812BU ref
Cudy WU600 xxx xxx xxx
Cudy WU650 xxx xxx xxx
Cudy WU1200 xxx xxx xxx
Edimax EW-7822ULC Realtek RTL8822BU ref
EDUP AC1300 Realtek RTL8811 ref
EDUP EP-AC1607 Realtek RTL8811AU ref
EDUP EP-AC1686 Realtek RTL8812BU xxx
EDUP EP-DB1607 Realtek RTL8811AU ref
Inamax AC600 xxx xxx xxx
Linksys AE6000 MediaTek MT7610u ref
Linksys WUSB6100M Qualcomm QCA9377 ref
Linksys WUSB6300 Realtek RTL88xxAU ref
Maxesla ? xxx xxx xxx
Netgear A6210-100PAS MediaTek MT7612U ref
Netgear A7000-10000S xxx xxx xxx
Netgear A6100 xxx xxx xxx
nineplus ? Realtek RTL8812BU ref
Ourlink U631 xxx xxx xxx
Ourlink U636 xxx xxx xxx
Ourlink U1231 xxx xxx xxx
Ourlink U1291 xxx xxx xxx
QGOO ? Realtek RTL8811AU ref
Techkey AC1750 Realtek RTL8814AU+PA xxx
Techkey AC1200 Realtek RTL8812AU ref
TP-Link Archer T2U MediaTek MT7610U ref
TP-Link Archer T2UH (v2) MediaTek xxx xxx
TP-Link Archer T2UH (v3) Realtek xxx xxx
TP-Link Archer T2U Nano Realtek xxx xxx
TP-Link Archer T2U Plus Realtek xxx xxx
TP-Link Archer T4U (v3) xxx xxx xxx
TP-Link Archer T9UH xxx xxx xxx
Trendnet TEW-808UBM xxx xxx xxx
USBNOVEL USBNOVEL01 Realtek RTL8812AU ref

Sunday, January 12, 2020

Handy tshark filters for WiFi analysis

Sometimes Wireshark doesn't handle large pcap files gracefully, particularly files over a few GiB. Not to mention, using display filters to find exactly what you're looking for takes a long time (and isn't scriptable).

Enter tshark - the command-line version of Wireshark. I realized that, probably since I don't use it every day, each time I use tshark I find myself googling for the right arguments and filters to use. This post is a cheat-sheet for myself to remember some handy filters; Maybe someone else will find them useful too.

Generally if I'm using tshark, it's because I need to find some interesting packets within a much larger capture file. To do this, I have tshark read in the large pcap file, apply a filter, and write the filtered packets out to a new file using a command like this:

tshark -n -r input.pcapng -w output.pcapng -Y "filter"

Some tools don't yet process the pcapng format (e.g. aircrack-ng). You can use the -F flag to tell tshark to output the older format like this:

tshark -n -r input.pcapng -w output.pcap -F pcap -Y "filter"

Note: I use the -n flag to disable name resolution, including MAC OUIs. This is so I can more easily copy/paste MAC addresses with other tools.

The table below contains some display filters for specific use cases. Note that these will work with Wireshark and tshark.

Use Case Filter Notes
Beacons wlan.fc.type==0 && wlan.fc.subtype==8 && wlan.ssid==WCTF_01 Change ssid to target SSID
Probe Requests wlan.fc.type==0 && wlan.fc.subtype==4
EAPOL Handshake (wlan.ta==1a:a6:f7:31:91:48 || wlan.ra==1a:a6:f7:31:91:48) && eapol Set ta/ra to target AP MAC
Data Frames (wlan.ta==18:a6:f7:31:91:49 || wlan.ra==18:a6:f7:31:91:49) && wlan.fc.type==2 Set ta/ra to target AP MAC

I may add to the list above if I come across other common WiFi filters, but for now these are the ones I use most often.