cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Using a Live Linux distro to get a wireless packet capture

4039
Views
5
Helpful
3
Comments
Damon Garner
Cisco Employee

There are articles describing using Microsoft Network Monitor 3.4 on Windows and Mac OS to get wireless packet captures. While both of these methods work, not everyone has access to a Mac and NetMon 3.4 is not easy to read, it also will not capture all of the 802.11 header information.  Using Wireshark to open a NetMon capture can sometimes produce erroneous results.

In this article, I will describe how to use Linux to grab a wireless sniff. Don't worry if you do not have Linux installed, you can use a live DVD/USB boot disk to grab the capture (just need another USB disk to save the capture).

Equipment needed:

1. Laptop with wireless network adapter or with a USB network adapter

2. 4GB or larger USB flash drive  aka ThumbDrive

3. Second USB thumbdrive to save the capture.

The first step is to download your favorite Linux bistro, I am using  Linux Mint  Debian  edition but the commands are the same for all Linux bistros (commands are different if using a BSD distro).

Second, use a program to either burn the ISO to DVD or create a bookable USB disk. I will be using Unetbootin

Open Unetbootin and browse to the ISO you downloaded. Then you will select the USB drive in the Drive drop-down box and press OK. It will take a few minutes to create the boot disk. After it is finished creating the live boot disk, we will reboot the laptop, letting it boot from USB, you may need to configure your laptop to boot from USB.

Once the laptop is booted up, the live boot disk will automatically login and you should be looking at the linux desktop.

Next, we need to open a terminal window, this is going to vary by distro but in my example, press alt+F2 to bring up "Run Application" dialog and type mate-terminal and hit enter or press Run

this will bring up the linux terminal

 

In the terminal, we will issue the following commands:

 NOTE: the interface name could be different depending on the flavor of linux.

sudo ifconfig -- this will tell us what the name of the wireless interface.

"eth0      SNIP  -- Ethernet adapter

 

lo        SNIP   -- Lubbock

 

wlan0     SNIP   -- wireless adapter"

 

mint@mint~$ sudo ifconfig wlan0 down   -- bring the interface down

mint@mint~$ sudo ifconfig wlan0 mode monitor   -- set interface to monitor mode

mint@mint~$ sudo iwconfig wlan0 freq 

2.412G  2.432G  2.452G  2.472G  5.26G   5.3G    5.58G   5.66G   

2.417G  2.437G  2.457G  5.18G   5.28G   5.52G   5.5G    5.68G   

2.422G  2.442G  2.462G  5.22G   5.2G    5.54G   5.62G   5.6G    

2.427G  2.447G  2.467G  5.24G   5.32G   5.56G   5.64G   5.7G    

mint@mint~$ sudo iwconfig wlan0 channel 

01   04   07   10   108  116  124  132  36   48   60   

02   05   08   100  11   12   128  136  40   52   64   

03   06   09   104  112  120  13   140  44   56   

mint@mint ~ $ sudo iwconfig wlan0 channel 44   -- set the channel, you can use frequency instead

Error for wireless request "Set Frequency" (8B04) :

    SET failed on device wlan0 ; Device or resource busy.   --error can safely be ignored

[250]mint@mint ~ $ sudo ifconfig wlan0 up                         -- bring interface back up

mint@mint ~ $ sudo can -i wlan0 -w capture44.pcap    --start the capture

tcpdump: WARNING: wlan0: no IPv4 address assigned

tcpdump: listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus can header), capture size 65535 bytes

^C             --ctr+c to stop the capture

3496 packets captured

3496 packets received by filter

0 packets dropped by kernel

24 packets dropped by interface             --capture stats.      

mint@mint ~ $       

The capture will be "saved" to the live users home directory, we will need to move that to another USB drive to save it  permanently. Once the capture is saved, reboot to go back to Windows. Login to Windows and plugin the USB drive that the capture file was saved to. Open the capture in Wireshark to analyze.


Thanks for taking the time to read my post.

Ray
 

 

 

3 Comments
Damon Garner
Cisco Employee

http://www.tcpdump.org/manpages/tcpdump.1.html

http://www.danielmiessler.com/study/tcpdump/

Couple links that explain the available options and filters using tcpdump.

 

Ray

luisrher
Cisco Employee

Ray thanks for the article I tried the live USB stick and I did some captures and it worked perfectly. yes

Jaime Gonzalez Gomez
Cisco Employee

Hello Ray,

Thanks for document is really useful to have for troubleshooting purposes, 

On line when we start the tcpdump, shouldn't the command be "tcpdump" instead of "can" ? I get an error when using "can". Could it be different depending the Linux version used?

mint@mint ~ $ sudo tcpdump -i wlan0 -w capture44.pcap    --start the capture

Jaime,

Content for Community-Ad

This widget could not be displayed.