[This page originally lived at http://www.natecarlson.com/linux/wireless-sniff.php. I am working on migrating all content over to WordPress, which is why this post exists. Most of the comments on this post are waaay out of date.. but the concepts are similar.]
This document describes how I got sniffing of 802.11b wireless networks working with my Linux box and a Prism2 wireless card.
Last modified: 10/01/01 Nate Carlson
We’ve been playing around with wireless networking at work, and one of the things I’ve been wanting to do is learn how to sniff networks for wireless packets, just to see what I can get. Hard part is all I have to work with for wireless cards are PrismII and Aironet cards, and the NetStumbler (for Windows) software only supports Orinoco. Of course, since I do the rest of my work in Linux anyways, I wanted to be able to sniff under Linux. So, I did some research, and it turns out that everything you need to do the sniffing is indeed available for Linux; it just hasn’t been well documented. So, here’s my attempt to document it! :)
First Step: Compile required PCMCIA packages
First step is to set up the PCMCIA stuff properly. You will need the following:
Standard PCMCIA Card Services package (you probably already have this)
Linux WLAN Package (provides full support for PrismII cards)
Patch to WLAN drivers to enable monitoring of packets (same patch you need for airsnort; this patch is integrated into linux-wlan-ng-0.1.10!)
Prismdump (dumps the packets from the wireless network into a PCAP file
CVS version of PCAP and TCPDUMP (current versions do not support 802.11b packets; CVS does)
Newest version of Ethereal (not strictly needed, but it lets you break down the packets for viewing
Download all the above packages, and compile and install according to the included directions (yeah, I might write a cheat sheet here eventually.) Make sure that you apply the patch to the linux-wlan package before compiling it (obvious). Note that depending what kind of PrismII card you have, you may need to modify the PCMCIA configuration to bind it to the PrismII card.
Second Step: Put the card into monitor mode, and sniff some packets
To put the card into monitor mode (note: this WILL make the network card unusable for normal traffic!), run the following command:
wlanctl-ng wlan0 lnxreq_wlansniff channel=N enable=true
Generally, you’ll want to sniff on Channel 6 (it’s the default, and most people don’t change the default), but you may want to play with other channels, too. To stop sniffing, run the same thing, except enable=false.
Once you have the card in sniffing mode, you can use prismdump to dump some packets out into a pcap-format file. This is really simple; just run:
prismdump > sniff.out
I generally also run airsnort’s capture with the ‘-c’ flag while I am doing this; that way, I can see how many packets have gone through. This file will grow, quick. Once it starts growing, it means you have some data!
Final Step: Analyze the packets!
Well, now that you have some packets saved to disk, I suppose you want to view them, huh? If all you want is the ESSID, and you don’t care about anything else, you can just dump the packets with tcpdump:
tcpdump -X -x -r sniff.out
Here is a sniff of one of my boxes doing a probe for AP’s:
11:38:09.496277 Probe Request (thisisessid) [ 11.0 Mbit] 0x0000 000b 7468 6973 6973 6573 7369 6401 0482 ..thisisessid.. 0x0010 040b 16ff ffff ff .......
In the above, it’s easy to spot the essid: ‘thisisessid’. Not much else that’s very useful in this packet.
Here’s a Beacon packet from my AP at home:
03:33:58.788488 Beacon (abcdefghijkl) [ 11.0 Mbit] ESS CH: 6 , PRIVACY 0x0000 9a81 d49c 7700 0000 5000 1500 000c 7465 ....w...P.....ab 0x0010 6368 6e69 6361 6c69 7479 0104 8284 0b16 cdefghijkl...... 0x0020 0301 0605 0400 0200 00ff ffff ff .............
As you can see, Privacy (WEP) is invoked in this case, and the essid is ‘abcdefghijkl’. Fairly simple.
For even more information, such as the mac address, etc, you can load these packets into Ethereal by clicking File->Open, and loading the file. Note that for encrypted packets, I had to turn off the ‘Enable MAC name resolution’, ‘Enable network name resolution’, and ‘Enable transport name resolution’ options. Once you load up Ethereal, you can anaylze these packets just like any other packet — beyond what I want to document right now. :)
But, that’s the basics, I may add more details later.
If you have any comments on this document, please feel free to drop me an e-mail at: firstname.lastname@example.org
UPDATE: Sniffing networks on an AiroNet card
If you have an AiroNet card, it’s possible to sniff packets if you have a kernel > 2.4.7 and the CVS versions of libpcap and tcpdump. To do this:
# echo 'Mode: rfmon' > /proc/driver/aironet/eth0/Config # tcpdump -i eth0 -w
..and then load the file into Ethereal as usual.