Wireshark, the network traffic analyzer, now has tools for wireless sniffing that can help administrators collect and analyze traffic for security and troubleshooting in wireless networks.
The chapter Wireless Sniffing with Wireshark, from the book Wireshark & Ethereal Network Protocol Analyzer Toolkit by Angela Orebaugh, Gilbert Ramirez and Jay Beale, explains where to start with wireless network traffic sniffing using Wireshark software. The chapter explores the challenges of sniffing wireless and configuring Linux and Windows for wireless sniffing and analysis.
Challenges of sniffing wireless
The process of wireless traffic sniffing can pose a number of challenges. One of these challenges is selecting a static channel, since wireless networks can operate on multiple wireless channels using different frequencies in the same location.
Another challenge is locating the channel number for specific traffic aimed for capture.
Range is another challenge in wireless traffic sniffing, since the area between the capture station and the transmitter is significant and must be accounted for to provide reliable traffic collection.
Interference and collisions must also be considered when sniffing wireless networks.
Configuring Linux and Windows for wireless sniffing
To begin sniffing wireless with Wireshark and capturing traffic, you must manually configure your wireless card into monitor mode. Most wireless drivers for Linux use the Linux Wireless Extension interface, which provides a consistent configuration interface for manipulating the wireless card. Then, you must start a packet capture; this will allow you to collect information you can later analyze by employing Wireshark's analysis mechanisms.
Windows drivers for wireless cards don't normally include support for monitor mode, but you can overcome this constraint through a combination of software that will allow you to use Windows hosts for wireless traffic analysis with Wireshark.
AirPcap is a commercial product that can help with this. Once you have specified your capture preferences on AirPcap, start Wireshark and initiate a new packet capture. Once you have captured wireless traffic through Linux or Windows, you may begin to extract the information you need and analyze it.
Analyzing wireless traffic sniffing
Wireshark's analysis features are nearly the same regardless of whether you are reading a packet capture from a stored file or from a live interface on a Windows or Linux host. Wireshark has various features for analyzing wireless traffic, including protocol dissectors, strong display filters, customizable display properties, and the ability to decrypt wireless traffic.
When looking at a packet trace of a number of packets, you may blindly click on packets to examine contents or begin applying predefined filters with the hope of identifying something useful. To make packet capture assessment easier, Wireshark allows you to customize packet colors in the Packet List window to simplify the process of troubleshooting a wireless connection issue.
It is also helpful to know if the traffic is originating from a wired or wireless network. To determine this, examine the flags in the frame control header, looking for the From DS bit and the To DS bit sets. From this point, marking interfering traffic and retries, as well as adding informative columns, can also aid in your analysis of packet captures.
These steps are just the beginning of wireless network sniffing with Wireshark. Read the chapter in its entirety to learn about real-world wireless traffic captures, wireless connection failures, wireless network probing, EAP authentication account sharing, DoS attacks, spoofing attacks and malformed traffic analysis.
Read the chapter and learn more about wireless sniffing with Wireshark.
This was first published in June 2012