Wi-Fi Sniffer

Sniffing with Cisco Aironet card

In Linux 2.4.18 or later. Just let the card work in RFMon mode. the commands are

[root@scoobydoo /root]# echo 'Mode: r' > /proc/driver/aironet/eth1/Config
[root@scoobydoo /root]# echo 'Mode: y' > /proc/driver/aironet/eth1/Config

And:

[root@scoobydoo /root]# /sbin/ifconfig wifi0 up

Then we can have two methods:

• use ethereal directly with wifi0 interface
• tcpdump -i wifi0 -w wzb ,then use ethereal to view wzb

The problem of this method is that it cannot provide control packets.

It can be seen from the above snapshot that Ethereal show 24 bytes MAC-802.11 header without FCS (Frame Check Sequence, which is a compulsory overhead has 32 bit (4 bytes)).
Note that there are only 3 address fields in the 802.11 header because Address 4 is omitted unless the to-DS and from-DS are both set to 1, which means sent from one AP to another AP ( wireless distribution system).

It is known that Cisco Sniffer does not sniff control packets such as (RTS, CTS and ACK).

To make it go back to normal:

[root@scoobydoo /root]# echo 'Mode: i' > /proc/driver/aironet/eth1/Config
[root@scoobydoo /root]# ifconfig wifi0 down

Sniffing with LinkSys or Netgear card which supports hostap driver.

Steps to sniff 802.11 frames:

Step 1: Put the card in monitor mode. The scripts to do these are in
libmac/sample/ directory. They are called rfmon_*.sh and rfunmon_*.sh
rfmon_eth.sh is for airo cards or wireless interfaces that are called
eth1, eth2, etc. rfmon_wlan.sh is for prism cards (hostap driver).

For prism cards, you can simply execute the following commands:
1) iwconfig wlan0 mode monitor
2) ifconfig wlan0 promisc up
3) To monitor one channel (such as channel 11), use iwconfig wlan0 channel 11

For bringing them back to normal mode,
1) iwconfig wlan0 mode managed/ad-hoc
2) ifconfig wlan0 -promisc up


Step 2: Use ethereal on the interface. or we can still use "tcpdump -i wlan0 -w wzb4" command and then use ethereal. To view 802.11 frames successfully, it requires a new version of tcpdump. The default in Red-hat 9.0 is OK.

From above, we can see the RTS,CTS and ACK messages ( after issuing  iwconfig eth1 rts 0 commmand )
It can be seen that a frame from a remote network cannot be decoded correctly as a "Malformed Frame", however, its corresponding ACK has been sniffed correctly by this card.

It's found that the command "iwconfig eth1 rts off" does not really shut off RTS/CTS transmissions in Cisco Aironet PCMCIA card.

After several transmissions without ACK, the RTS/CTS appeared.

Measuring Traffic on the Wireless Medium: Experience and Pitfalls