Tcpdump/Wireless/Linux

From charlesreid1

This page covers how to use the tcpdump utility for wireless packet capture on Linux machines, and how to deal with channels.

Up one level: Tcpdump/Wireless

Monitor Mode

You should only put your card in monitor mode if you want to capture all the traffic around you. If you are using tcpdump to diagnose a wireless connection, you won't want to put your card into monitor mode.

If you put your card into monitor mode, you will lose any connections to wireless networks that you have with that card.

Steps

Put your card into monitor mode with these steps: 

iwconfig # list all devices
ifconfig wlan1 down # assuming wlan1 is wireless
iwconfig wlan1 mode monitor # put into monitor mode
ifconfig wlan1 up # bring wlan1 online

Setting the Channel

To set the channel your wireless card is on (regardless of whether you are in monitor mode or not), you can use a few methods.

Single Channel from Shell Script

To set the wireless card to listen to a single channel from the command line, use iwconfig. Specify the interface, then the keyword "channel," then the channel number: 

$ iwconfig en1 channel 3

Now you can control the channel of the wireless card from a shell script.

You can also use iwlist to view available channels and see the current channel of the wireless card: 

root@kali:~# iwlist frequency
wlan0     14 channels in total; available frequencies :
          Channel 01 : 2.412 GHz
          Channel 02 : 2.417 GHz
          Channel 03 : 2.422 GHz
          Channel 04 : 2.427 GHz
          Channel 05 : 2.432 GHz
          Channel 06 : 2.437 GHz
          Channel 07 : 2.442 GHz
          Channel 08 : 2.447 GHz
          Channel 09 : 2.452 GHz
          Channel 10 : 2.457 GHz
          Channel 11 : 2.462 GHz
          Channel 12 : 2.467 GHz
          Channel 13 : 2.472 GHz
          Channel 14 : 2.484 GHz
lo        no frequency information.

eth0      no frequency information.

Scanning Channels

If you want to channel-hop, meaning hop from channel to channel listening for a short while on each channel to get a sample of the traffic on that channel, you can do so from a shell script, which gives you more control, or you can use airodump-ng.

If you run airodump-ng and only pass the network interface as an argument, it will hop among all 12 channels with your wireless card. If you run tcpdump, you will get those same channel changes for free.

Channel Hopping with Python

http://charlesreid1.com/wiki/Scapy/AP_Scanner 

#!/usr/bin/env python
# based on airoscapy.py - Wireless AP scanner based on scapy
# Author of airscapy: iphelix

import sys, os, signal
from multiprocessing import Process
 
from scapy.all import *
 
# Channel hopper
def channel_hopper():
    while True:
        try:
            channel = random.randrange(1,15)
            os.system("iw dev %s set channel %d" % (interface, channel))
            time.sleep(1)
        except KeyboardInterrupt:
            break
 
# Capture interrupt signal and cleanup before exiting
def signal_handler(signal, frame):
    p.terminate()
    p.join()
 
    sys.exit(0)
 
if __name__ == "__main__":
    if len(sys.argv) != 2:
        print "Usage %s monitor_interface" % sys.argv[0]
        sys.exit(1)
 
    interface = sys.argv[1]
 
    # Start the channel hopper
    p = Process(target = channel_hopper)
    p.start()
 
    # Capture CTRL-C
    signal.signal(signal.SIGINT, signal_handler)



Defcon.png
tcpdump
Utility for dumping network traffic

Tcpdump  · Category:Tcpdump

Tcpdump/Wireless  · Tcpdump/Wireless/Mac  · Tcpdump/Wireless/Linux


Flags  · Template:TcpdumpFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Tcpdump/Wireless/Linux&oldid=9208"