Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
9871
Views
15
Helpful
3
Comments

Sniffing Wireless traffic

Nicolas Darchis
Cisco Employee
Cisco Employee

‎10-25-2010 04:49 AM - edited ‎11-18-2020 02:51 AM

 

 

Introduction

 

 

Sniffing Wireless traffic

 

Sniffers


Sniffing wireless is possible with a usual Wireshark taken on the wireless adapter. However, you will notbe able to sniff raw 802.11 frames. Rather some layer 2 frames, layer 3 frames and above and no promiscuous mode. This means you miss most of the stuff you want to see with a wireless trace. The following sections will explain you how to sniff via wireless. Most of the products are not free currently but some solutions exist.
An important thing to be aware of is that when you are taking your wireless trace with a dedicated tool, you cannot use your wireless adapter for anything else. This means that you often need an extra laptop dedicated to sniffing, or you can have 2 adapters on the same laptop : one for sniffing and one for associating with the network.

 

Also it can sometimes be seen that wireshark will sniff all traffic on wireless adapter and on promiscuous mode but this totally depends on clients drivers. Rare are the drivers allowing this.

 

Important Note about LWAPP/CAPWAP packets

 

It is important to note that by default, you will see the content of LWAPP/CAPWAP packets as scrambled data. You just have to go (in wireshark) to Edit -> Preferences. Then you click on “Protocols”, on “LWAPP” (or CAPWAP) and enable the only checkbox present “control bit swap”.

This will enable you to view the content of the LWAPP/CAPWAP packet, i.e. the wireless frame encapsulated inside the LWAPP/CAPWAP. This is very useful to check for example if the QoS markings of the wireless frame are present and if they are kept outside of the encapsulation as well …

Wireshark 1.4 and later is needed to decrypt CAPWAP.

 

This obviously concern wired sniffed traffic since CAPWAP occurs between AP and WLC.

 

AP in sniffer mode (LWAPP/CAPWAP)

 

On a controller, you can change an access point mode to "sniffer". If you apply that change, it will reboot.

 

Once  it joins back, you will be able to configure a channel to sniff for  that AP and also your laptop ip address. The idea is that the AP will  tunnel all the traffic to your PC.

 

It's  encapsulated in UDP 5555. so in summary you have an ip header (from AP,  to your laptop), a UDP 5555 header and inside, the wireless frame  (802.11 layer 2) sniffed by the AP.


Open the trace and go to "analyze", then "decode as" and switch to UDP 5555, to decode the trace as "airopeek".
The trace is in fact sent from the WLC management IP with UDP source  port 5555, to the IP address of the PC (configured under the AP's  settings) with UDP destination port 5000.

 

Wifiway


This is a live linux distribution. This means that you just have to boot on the CD and run the tool and you have nothing to install. This distribution is freely available.

The interesting part is that it supports the intel 3945 chipset, which is the one present in many laptops

You put the CD in the drive, reboot the PC. WifiWay proposes you to chose your timezone, keyboard type and so on…
Once you get the command shell, you can boot the X-window with “startx”.


Then by clicking the small black square in the lower left part of the screen, you get a terminal screen. You can type “cd /home/wireless” and then “airoway.sh”. This starts several windows that show you the surrounding devices and access points. It also has a tool to start attacks against APs. This also sets the driver for the wifi adapter.

Then you can either start Wireshark or run “airodump” which is also in the “/home/wireless” directory. The command is :


Airodump wifi0 capture 6


This will use the adapter wifi0, write the sniffer trace to capture.cap and will scan only channel 6.

 

Comments
janesh_abey
Level 1
Level 1
‎10-26-2010 03:06 AM

Hi Nic,

Thanks for taking time to post some great stuff.

cheers,

J

iilyinas
Level 3
Level 3
‎11-02-2010 01:51 PM

Hi, Nico

Don't you want to add something about aircrack and so on?

Cheers, Iron

pbonder
Community Member
‎05-04-2014 05:36 AM

Hi Nicolas,

Is the AP sniffer mode is available for autonomous AP SW, if so can you please address how to configure it.

Many Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents