Monday, June 22, 2015

Using Wireshark for Wireless Capture

  • Precautions before Starting Wireless Capture
    • Channel Identification using Channel Hopping. Sniffer can listen to specific channel.
    • Avoid keeping sniffer too close. Keep at least 3 feet.
    • No guarantee that 100 percent traffic will be captured
    • Disable any nearby transmitter (mainly Bluetooth)
    • Reduce CPU utilization before starting capture
    • Configure wireless card in monitor mode. Wire shark does not do this automatically.
  • Air pcap Requirement for Windows 
    • Can't configure windows driver in Monitor mode hence need airpcap.
  • Adding New Columns (Edit -> Preferences -> Columns)
    • RSSI (IEEE 802.11 RSSI)
    • Tx Rate (IEEE 802.11 TX rate)
    • Channel/Freq (Frequency / Channel)
  • Building Graphs (Statistics -> I/O Graphs)
    • I/O Graph (RSSI, Tx Rate can be plotted)
  • Coloring Elements (View -> Coloring Rules)
  • Filters to remember
    • wlan_mgt.ssid (NOTE: mgt not mgmt)
    • wlan.addr (wlan.sa or wlan.da)
    • wlan.sa
    • wlan.da
    • wlan.bssid
    • wlan.fc.type
    • wlan.fc.subtype
    • wlan.fc.type_subtype
    • wlan.sa contains 80:6c:1b
    • wlan.sa[0-2] == 80:6c:1b
  • Use Cases:
    • Finding hidden SSIDs
      • Find BSSID using filter wlan_mgt.ssid==""
      • Filter probe requests with BSSID found in previous step.
    • Rogue AP Detection (security will be open)
    • Capturing all AP under given SSID
    • Capturing all packets tx/rx from/to particular client
    • Capturing all packets under a given BSSID
    • Decryption of packets 
  • Values for Type & Sub-type Fields

No comments:

Post a Comment