Table of Contents for
Packet Analysis with Wireshark

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Packet Analysis with Wireshark by Anish Nath Published by Packt Publishing, 2015
  1. Cover
  2. Table of Contents
  3. Packet Analysis with Wireshark
  4. Packet Analysis with Wireshark
  5. Credits
  6. About the Author
  7. About the Reviewers
  8. www.PacktPub.com
  9. Preface
  10. What you need for this book
  11. Who this book is for
  12. Conventions
  13. Reader feedback
  14. Customer support
  15. 1. Packet Analyzers
  16. Introducing Wireshark
  17. Other packet analyzer tools
  18. Summary
  19. 2. Capturing Packets
  20. Troubleshooting
  21. Wireshark user interface
  22. Wireshark features
  23. Tcpdump and snoop
  24. References
  25. Summary
  26. 3. Analyzing the TCP Network
  27. TCP connection establishment and clearing
  28. TCP data communication
  29. TCP close sequence
  30. Lab exercise
  31. TCP troubleshooting
  32. TCP latency issues
  33. Wireshark TCP sequence analysis
  34. References
  35. Summary
  36. 4. Analyzing SSL/TLS
  37. The SSL/TLS handshake
  38. Key exchange
  39. Decrypting SSL/TLS
  40. Debugging issues
  41. Summary
  42. 5. Analyzing Application Layer Protocols
  43. BOOTP/DHCP
  44. DNS
  45. HTTP
  46. References
  47. Summary
  48. 6. WLAN Capturing
  49. Analyzing the Wi-Fi networks
  50. Wi-Fi sniffing products
  51. Summary
  52. 7. Security Analysis
  53. The DOS attack
  54. Scanning
  55. ARP duplicate IP detection
  56. DrDoS
  57. BitTorrent
  58. Wireshark protocol hierarchy
  59. Summary
  60. Index

Chapter 6. WLAN Capturing

So far, we have seen packets captured on Ethernet. In this chapter we will learn how to capture WLAN network traffic, and use effective display filters for all the frames, by covering the following topics:

  • WLAN (802.11) capture setup and the monitor mode
  • 802.11 capturing with tcpdump
  • 802.11 display filters
  • Layer-2 datagram frame types and Wireshark display filters
  • 802.11 auth process
  • 802.1X EAPOL
  • 802.11 protocol stack

WLAN capture setup

Wireshark depends on the operating system on which it's running (and on the drivers for the wireless adapter) for monitor mode support.

For Linux, the 802.11 wireless toolbar (View | Wireless Toolbar) provides excellent options to enable the monitor mode and set the channel for cfg80211 devices. This even supports multiple network interfaces for multi-channel captures; refer to https://wiki.wireshark.org/CaptureSetup/WLAN for detailed instructions.

The MAC OS has a wireless adapter, and the monitor mode is supported. On Windows, the monitor mode is not supported; you need a commercial adaptor for this, such as the AirPcap USB adapter.

The WLAN (IEEE 802.11) capturing process is slightly different from capturing Ethernet traffic in Wireshark. By default, when we start capturing traffic in a Wi-Fi network, it captures traffic between two endpoints (HOST-A and HOST-B). To capture the Wi-Fi traffic, Wireshark has to run in the monitor mode—RFMON (Radio Frequency Monitor) mode—which allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received from the AP (Access Point), as shown in the screenshot:

WLAN capture setup

The monitor mode

The monitor mode is supported only on IEEE 802.11 Wi-Fi interfaces, and only on some operating systems. To enable the monitor mode in a Wi-Fi interface, perform these steps in Wireshark:

  1. Click on Capture | Options.
  2. Select the active Wi-Fi adaptor. Double-click on the interface setting; a window will appear.
  3. Enable the Capture packets in Monitor mode option.
  4. Click on OK.
  5. Start the capture.

You should see the following screen:

The monitor mode

When the monitor mode is on, the adapter captures all the packets transmitted on the channel. These include:

  • Unicast packets
  • Broadcast packets
  • Control and management packets

Tip

Disable name resolution in the monitor mode because Wireshark will try resolving the FQDN, which results in slowness in opening the packet capture file (there is no external network in the monitor mode).

Once the packet capture starts, Wireshark will start displaying the 802.11 protocol packet exchange between source and destination, as shown in the following screenshot (or open the packet capture 802.11.pcap file in Wireshark). Packet capture in the monitor mode will not be associated with any of the access points and the user can see only 802.11 frames, which include non-data (management and beacon) frames, as shown:

The monitor mode

To perform a wireless packet capture using tcpdump, execute the following command. The tcpdump with –I option will turn the monitor mode on:

bash $ tcpdump -I -P -i en0 -w 802.11.pcap

The output obtained is as follows:

tcpdump: WARNING: en0: no IPv4 address assigned
tcpdump: listening on en0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 65535 bytes
^C52 packets captured
52 packets received by filter