wireless sniffing under linux

by nc on October 1, 2001 · 2 comments

[This page originally lived at http://www.natecarlson.com/linux/wireless-sniff.php. I am working on migrating all content over to WordPress, which is why this post exists. Most of the comments on this post are waaay out of date.. but the concepts are similar.]

This document describes how I got sniffing of 802.11b wireless networks working with my Linux box and a Prism2 wireless card.
Last modified: 10/01/01 Nate Carlson


We’ve been playing around with wireless networking at work, and one of the things I’ve been wanting to do is learn how to sniff networks for wireless packets, just to see what I can get. Hard part is all I have to work with for wireless cards are PrismII and Aironet cards, and the NetStumbler (for Windows) software only supports Orinoco. Of course, since I do the rest of my work in Linux anyways, I wanted to be able to sniff under Linux. So, I did some research, and it turns out that everything you need to do the sniffing is indeed available for Linux; it just hasn’t been well documented. So, here’s my attempt to document it! :)

First Step: Compile required PCMCIA packages

First step is to set up the PCMCIA stuff properly. You will need the following:

Standard PCMCIA Card Services package (you probably already have this)
Linux WLAN Package (provides full support for PrismII cards)
Patch to WLAN drivers to enable monitoring of packets (same patch you need for airsnort; this patch is integrated into linux-wlan-ng-0.1.10!)

Prismdump (dumps the packets from the wireless network into a PCAP file
CVS version of PCAP and TCPDUMP (current versions do not support 802.11b packets; CVS does)
Newest version of Ethereal (not strictly needed, but it lets you break down the packets for viewing

Download all the above packages, and compile and install according to the included directions (yeah, I might write a cheat sheet here eventually.) Make sure that you apply the patch to the linux-wlan package before compiling it (obvious). Note that depending what kind of PrismII card you have, you may need to modify the PCMCIA configuration to bind it to the PrismII card.

Second Step: Put the card into monitor mode, and sniff some packets

To put the card into monitor mode (note: this WILL make the network card unusable for normal traffic!), run the following command:

wlanctl-ng wlan0 lnxreq_wlansniff channel=N enable=true

Generally, you’ll want to sniff on Channel 6 (it’s the default, and most people don’t change the default), but you may want to play with other channels, too. To stop sniffing, run the same thing, except enable=false.

Once you have the card in sniffing mode, you can use prismdump to dump some packets out into a pcap-format file. This is really simple; just run:

prismdump > sniff.out

I generally also run airsnort’s capture with the ‘-c’ flag while I am doing this; that way, I can see how many packets have gone through. This file will grow, quick. Once it starts growing, it means you have some data!

Final Step: Analyze the packets!

Well, now that you have some packets saved to disk, I suppose you want to view them, huh? If all you want is the ESSID, and you don’t care about anything else, you can just dump the packets with tcpdump:

tcpdump -X -x -r sniff.out

Here is a sniff of one of my boxes doing a probe for AP’s:

11:38:09.496277 Probe Request (thisisessid) [ 11.0 Mbit]
0x0000   000b 7468 6973 6973 6573 7369 6401 0482        ..thisisessid..
0x0010   040b 16ff ffff ff                              .......

In the above, it’s easy to spot the essid: ‘thisisessid’. Not much else that’s very useful in this packet.

Here’s a Beacon packet from my AP at home:

03:33:58.788488 Beacon (abcdefghijkl) [ 11.0 Mbit] ESS CH: 6 , PRIVACY
0x0000   9a81 d49c 7700 0000 5000 1500 000c 7465        ....w...P.....ab
0x0010   6368 6e69 6361 6c69 7479 0104 8284 0b16        cdefghijkl......
0x0020   0301 0605 0400 0200 00ff ffff ff               .............

As you can see, Privacy (WEP) is invoked in this case, and the essid is ‘abcdefghijkl’. Fairly simple.

For even more information, such as the mac address, etc, you can load these packets into Ethereal by clicking File->Open, and loading the file. Note that for encrypted packets, I had to turn off the ‘Enable MAC name resolution’, ‘Enable network name resolution’, and ‘Enable transport name resolution’ options. Once you load up Ethereal, you can anaylze these packets just like any other packet — beyond what I want to document right now. :)

But, that’s the basics, I may add more details later.

If you have any comments on this document, please feel free to drop me an e-mail at: natecars@natecarlson.com

UPDATE: Sniffing networks on an AiroNet card

If you have an AiroNet card, it’s possible to sniff packets if you have a kernel > 2.4.7 and the CVS versions of libpcap and tcpdump. To do this:

# echo 'Mode: rfmon' > /proc/driver/aironet/eth0/Config
# tcpdump -i eth0 -w 

..and then load the file into Ethereal as usual.

{ 2 comments… read them below or add one }

Sandy Wardwell February 15, 2011 at 9:23 am

I was wondering if you ever thought of changing the structure of your site? Its very well written; I love what youve got to say. But maybe you could a little more in the way of content so people could connect with it better. Youve got an awful lot of text for only having one or 2 pictures. Maybe you could space it out better?


nc February 15, 2011 at 11:52 am

Hi Sandy!

Thanks for the advice! I’ve thought about trying to break things up a bit, but haven’t had time to work on the site lately.. I will certainly keep that in mind when I do get to updates however!



Leave a Comment

Previous post:

Next post: