Tcpdump: Difference between revisions
From charlesreid1
(→Usage) |
|||
| Line 49: | Line 49: | ||
==Wireless Packet Capture== | ==Wireless Packet Capture== | ||
If you want to capture wireless packets, you need to know a bit more about channels. | If you want to capture wireless packets, you need to know a bit more about a few things. | ||
First is channels. | |||
The 802.11 protocol allocates 12 channels for wireless (in the US), and your wireless card can only listen to one channel at a time. To listen to twelve channels, you need twelve wireless cards - or you need to hop from channel to channel with your single wireless card. | The 802.11 protocol allocates 12 channels for wireless (in the US), and your wireless card can only listen to one channel at a time. To listen to twelve channels, you need twelve wireless cards - or you need to hop from channel to channel with your single wireless card. | ||
If it is critical to capture all traffic, you will want to use multiple wireless cards - if you're hopping from channel 5 to channel 6, and traffic shows up on channel 4, you won't see it. | If it is critical to capture all traffic, you will want to use multiple wireless cards - if you're hopping from channel 5 to channel 6, and traffic shows up on channel 4, you won't see it. | ||
Second is monitor mode. If your wireless card is not in monitor mode, your wireless card will be throwing away any packets that are not intended for itself, meaning you'll only be creating a pcap file of your own traffic. | |||
===Channel-Hopping on Mac=== | |||
===Monitor Mode in Linux=== | |||
Put your card into monitor mode with these steps: | |||
<pre> | |||
iwconfig # list all devices | |||
ifconfig wlan1 down # assuming wlan1 is wireless | |||
iwconfig wlan1 mode monitor # put into monitor mode | |||
ifconfig wlan1 up # bring wlan1 online | |||
</pre> | |||
===Channel-Hopping on Linux=== | |||
Once you've put the card into monitor mode, you can run <code>airodump-ng</code>, which will automatically channel-hop unless you specify a specific channel. | |||
Revision as of 03:49, 18 January 2016
Installing
Linux
tcpdump should come with your distro, but if it doesn't, use aptitude or your package manager to install:
apt-get install tcpdump
Once you've done that, you can list your network devices:
iwconfig
Pick out which ones you want to listen to.
Mac
tcpdump comes with Mac. Man page for tcpdump: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/tcpdump.1.html
List your network devices:
ifconfig
Pick out which ones you want to listen to.
Usage
You will need to run tcpdump as sudo.
Unfiltered Packet Capture
The simplest way to use tcpdump is to do an unfiltered packet capture - no filters on packets, so everything is captured.
To do this, specify which device you want to listen to with the -i flag. Also specify an output file with the -w flag:
tcpdump -i en0 -w output_file.pcap
-w prevents your computer from having a meltdown trying to print every single packet in a busy place.
You can also monitor multiple interfaces by specifying a list: -i en0,en1
Wireless Packet Capture
If you want to capture wireless packets, you need to know a bit more about a few things.
First is channels.
The 802.11 protocol allocates 12 channels for wireless (in the US), and your wireless card can only listen to one channel at a time. To listen to twelve channels, you need twelve wireless cards - or you need to hop from channel to channel with your single wireless card.
If it is critical to capture all traffic, you will want to use multiple wireless cards - if you're hopping from channel 5 to channel 6, and traffic shows up on channel 4, you won't see it.
Second is monitor mode. If your wireless card is not in monitor mode, your wireless card will be throwing away any packets that are not intended for itself, meaning you'll only be creating a pcap file of your own traffic.
Channel-Hopping on Mac
Monitor Mode in Linux
Put your card into monitor mode with these steps:
iwconfig # list all devices ifconfig wlan1 down # assuming wlan1 is wireless iwconfig wlan1 mode monitor # put into monitor mode ifconfig wlan1 up # bring wlan1 online
Channel-Hopping on Linux
Once you've put the card into monitor mode, you can run airodump-ng, which will automatically channel-hop unless you specify a specific channel.