using wireshark to sniff wifi monitors - candela … · using wireshark to sniff wifi monitors ......
TRANSCRIPT
http://[email protected]+13603801618[PST,GMT-8]
UsingWiresharktoSniffWiFiMonitors
Goal:SniffwirelesstrafficfromaLANforgeradiousingWiresharkandaWiFiMonitorport.
ThebestwaytosniffwirelesspacketsviaWiresharkinLANforgeisfromamonitorportthatisonitsownradio(nootherAP,STAs,etc.).Thisexamplewillwalkthroughthemonitorportcreation,sniffingthemonitorport,aswellasWiresharkfilterrecommendations.
ThisexampleusesaLANforgeCT523systembuttheprocedureshouldworkonaCT524,CT525,orsimilarsystem.
1. Createamonitorport.A. InthePortMgrtab,selectawiphydevicethatyouwishtosniffwith(thisexamplewillusewiphy1,
anath10kradio).
NetworkTestingandEmulationSolutions
D. BackinthePortMgrtab,withthewiphydevicestillselected,clickCreate.
A. SelecttheWiFiMonitoroptionatthetop.
B. SettheQuantityto1.
C. SettheSTAIDto0.D. ClickApplyandclosetheCreatePortwindow.
E. InthePortMgrtabagain,modifymoni0.
A. YoucandisableHT40andHT80hereifneeded.
B. ClickOKtoclosethewindow.
2. Forthiscurrentsetup,trafficwillbegeneratedwithalayer3UDPconnectionbetweentwostations.FormoreinformationseeGeneratingTrafficforWLANTesting
3. UseWiresharktosniffmoni0.A. IfyouarerunningtheLANforgeGUIfromaWindowsmachinewithoutxserverinstalled,youwill
needtoconnectremotelytotheLANforgesystemviardesktoporvnc.
A. Toconnectviardesktop,typethefollowingcommandintoaconsole(replaceLANforge-IPwiththeIPofyourLANforgesystem):rdesktopLANforge-IP
I. Thelogininfoisusername/passwordlanforge/lanforge
B. Toconnectviavnc,typethefollowingcommandintoaconsole(replaceLANforge-IPwiththeIPofyourLANforgesystem.Don'tforgettoaddthe':1'aftertheIP):vncviewer[LANforge-IP]:1Thepasswordislanforge.
C. OnceyouhaveaccessedtheLANforgesystemviardesktoporvnc,opentheLANforgeGUIwiththedesktopiconshownbelow.
B. Selectmoni0inthePortMgrtab.
C. ClicktheSniffPacketsbutton.Wiresharkwillnowopenandautomaticallystartscanningforpackets.Ifyougetawindowthatwarnsaboutrunningasuserroot,clickOK.
A. Touseafilter,simplyaddthefilterconstraintstothefiltertextboxasseenbelowandclickApplytotheright.ThebelowscreenshothaswiresharkfilteringonaspecificIP.
B. Ifyou'dliketoonlyseetrafficto/fromasingleAPusethefilterwlan.addr==[bssid]
D. TherearemanyfiltersthatcanbeusedinWireshark.Somehandyonesinclude:IP:ip.addr==x.x.x.xwlanMAC:wlan.addr==xx:xx:xx:xx:xx:xxAssociationrequestwlan.fc.type_subtypeeq0Associationresponsewlan.fc.type_subtypeeq1Proberequestwlan.fc.type_subtypeeq4Proberesponsewlan.fc.type_subtypeeq5Beaconwlan.fc.type_subtypeeq8Authenticationwlan.fc.type_subtypeeq11Deauthenticationwlan.fc.type_subtypeeq12
E. Filterscanbecombinedtospecifyifpacketsshouldmatchallfilters(with&&)oranyfilters(with||).Forexample,ifyouwantedtoviewpacketsthatonlycontainbothIPs1.1.1.1and2.2.2.2youcouldusethefollowing:ip.addr==1.1.1.1&&ip.addr==2.2.2.2Or,ifyouwanttoseeallpacketscontaining1.1.1.1andallpacketscontaining2.2.2.2,youcouldusethefollowing:ip.addr=1.1.1.1||ip.addr==2.2.2.2
F. Youcanvisithttps://wiki.wireshark.org/DisplayFiltersformoretipsonfilters.Ahandy'cheatsheet'withmostfilterscanbefoundhere.
CandelaTechnologies,Inc.,2417MainStreet,Suite201,Ferndale,WA98248,USAwww.candelatech.com|[email protected]|+1.360.380.1618