Monday, 15 April 2013

Capturing 802.11 frames with Wireshark and Airmon-ng

One of an easy way to capture wireless frames is to use Wireshark. We will use linux (Ubuntu in my case, but any other distro is fine) and an Aircrack-ng suite to achieve our goal.

If you need some help on how to install Aircrack-ng, the best place to find the info is on Aircrack-ng website: http://www.aircrack-ng.org/

First let's find out if the OS detected our wireless NIC:

root@ubuntu:~# iwconfig
wlan1     IEEE 802.11bg  ESSID:off/any 
               Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm  
               Retry  long limit:7   RTS thr:off   Fragment thr:off
               Encryption key:off
               Power Management:off

As we can see the "wlan1" is detected by the OS.

We will use only airmon-ng program, which is part of the Aircrack-ng suite, to put the interface in monitor mode, but first we will "shutdown" the wireless interface:

root@ubuntu:~# ifconfig wlan1 down

This will allow us to set the interface to a specific channel (if we don't do that the interface driver will be hopping through all channels), but first we will verify the driver is correctly installed:

root@ubuntu:~# airmon-ng

Interface    Chipset        Driver


wlan1        RTL8187     rtl8187 - [phy2]


Now we can put the wireless card in a monitor mode, and at the same time we'll set it to operate on channel 6 (802.11b/g):

root@ubuntu:~# airmon-ng start wlan1 6

....

Interface    Chipset        Driver

wlan1        RTL8187     rtl8187 - [phy2]
                (monitor mode enabled on mon0)

New interface has been created: "mon0", this can also be verified with:

root@ubuntu:~# iwconfig
mon0      IEEE 802.11bg  Mode:Monitor  Frequency:2.437 GHz  Tx-Power=20 dBm  
               Retry  long limit:7   RTS thr:off   Fragment thr:off
               Power Management:on
         
wlan1     IEEE 802.11bg  ESSID:off/any 
               Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm  
               Retry  long limit:7   RTS thr:off   Fragment thr:off
               Encryption key:off
               Power Management:off

We can see that mon0 interface is in "Monitor" mode and is set to frequency 2.437 GHz (channel 6), this can be further verified with a "iwlist" command:

root@ubuntu:~# iwlist mon0 frequency
mon0      14 channels in total; available frequencies :
               Channel 01 : 2.412 GHz
               Channel 02 : 2.417 GHz
               Channel 03 : 2.422 GHz
               Channel 04 : 2.427 GHz
               Channel 05 : 2.432 GHz
               Channel 06 : 2.437 GHz
               Channel 07 : 2.442 GHz
               Channel 08 : 2.447 GHz
               Channel 09 : 2.452 GHz
               Channel 10 : 2.457 GHz
               Channel 11 : 2.462 GHz
               Channel 12 : 2.467 GHz
               Channel 13 : 2.472 GHz
               Channel 14 : 2.484 GHz
               Current Frequency:2.437 GHz (Channel 6)

Now all we need to do is to start Wireshark, and capture 802.11 frames (on mon0 interface), also make sure you ticked the box "Capture all in promiscuous mode" under "Options".

When you've finished capturing, after closing Wireshark, you can take out the interface from monitor mode, with:

 root@ubuntu:~# airmon-ng stop mon0


Interface    Chipset        Driver

mon0        RTL8187     rtl8187 - [phy2] (removed)
wlan1        RTL8187     rtl8187 - [phy2]


Happy wireless sniffing!

2 comments:

  1. Sometimes it is difficult to manage airodump-ng output files. i mean once i generate those csv and xml files then after i start looking into it so for large amount of data i can't figure it out. so is there any tools or services available for analysis and visualization ?
    i have used this website and it is quite good, here i have shared my sample data have a look and also share any other sources if anyone knows. - http://bit.ly/1Nbfgm6

    ReplyDelete
    Replies
    1. What I use at work is "EyePA" for analysis from Metageek. It provides superb graphical presentation of captured frames and various filters. It's an MS Windows product though, and requires a license.

      Delete