 In this demo I'll show how we can capture packets by turning your wireless LAN interface on the laptop into a monitor mode. Then we'll use TCP dump to capture packets that are sent by devices nearby, other laptops, other access points. Then load those capture packets into Wireshark and have a look at some of those packets. Normally your wireless interface runs in a managed mode on the laptop where it allows it to connect to different access points. But that means it only captures the packets that either you send or are sent directly to your laptop. What I'd like to do is run it into a monitor mode where it can capture packets sent by others to others, for example someone else's laptop to an access point, and then observe what's happening on the wireless LAN. Of course in monitor mode it stops your laptop from transmitting and receiving. Not all wireless LAN devices support monitor mode. It depends upon the hardware and only some drivers allow enabling monitor mode. It turns out that my Intel wireless interface supports monitor mode on the laptop. One way to see the manufacturer of the device and the driver used is to look at the different you should use LSPCI to list the different PCI interfaces which should include your wireless LAN interface. So I'll use LSPCI and in the verbose mode. You can look at the output of that. Since I know what I'm searching for I'll use grep to just display a selection of the output which is related to my wireless LAN interface. That is show the lines after the network which should be for my wireless LAN. My wireless LAN network controller is the Intel Centrino wireless LAN 1000 and perhaps the most useful line there is that at the bottom the kernel modules and the kernel driver in use is the IWL AGN. And it turns out that this driver from Intel does support the monitor mode. As an aside if you want to look at more info about that driver you can use mod info with the driver name and it shows you a lot of information about that driver where the driver is on your file system. The name of the driver and down the bottom if we scroll through all the aliases some of the parameters that are supported in the default values for that driver. My wireless hardware and driver supports monitor mode so let's enable it. First I'll turn off the network manager that manages the wired and wireless interface by disabling networking so that we can do everything on the command line and without the network manager interfering. So now I'll turn down my interface first. Let's show the interfaces that are supported. No interfaces are up. The all interfaces that are supported include ETH0 and WLAN0 and WLAN0 is obviously the the wireless LAN interface. It's currently down. If it wasn't already down we could have used IFconfig to turn the interface down. Now we want to turn it turn the interface so it's in monitor mode so we use IWconfig to do that using the mode monitor options. And now simply check that our wireless LAN0 interface is in monitor mode. So now we cannot send or receive any packets via wireless LAN interface but all the packets that others send and that my laptop is within range of will be detected and processed when told to be by the wireless LAN interface. Now I'll turn the interface up and now we since the interface is up or it's enabled and it's in monitor mode we want to capture some packets so clear the screen and I'll use TCP dump to capture the packets. I've got Wireshark installed on this laptop already. In Wireshark you can directly capture packets but I'll use TCP dump on the command line. I need to specify the interface I want to capture packets on WLAN0 with the minus I option. I'm going to also specify the size of packets the maximum size of packets that I will capture. By default TCP dump will only capture the first I think it's the first 64 bytes of the packet it may be quite a little bit larger but it won't capture the entire packet. By capturing 1500 bytes we should capture all of the packet and save or write into a file let's call it example.cap So now my wireless LAN interface is capturing all packets that it can receive that are transmitted by other stations in the nearby area. Of course you need some other stations around to capture anything of use. It turns out in my network I do I'll leave it running for a minute or so. The reason I use TCP dump to capture rather than using Wireshark is because to capture you need to have administrative privileges so for example run a sudo so the option is to either run TCP dump as sudo or run Wireshark the entire program as sudo. So if you run Wireshark as sudo then then all those other features of Wireshark are running in administrator mode or at a higher privilege level. So potentially there's some security benefits of just running TCP dump as sudo and once the capture is done then you can load the capture in Wireshark and use all the other features of Wireshark the filters, the statistics and so on which don't need administrator mode. Let's hope we've captured enough of control C to cancel to finish. 1,436 packets were captured so now let's load those captured packets into Wireshark. I'll start Wireshark. We could start it by calling the file but I won't because I want to set some options and I'll open the file example.cap I'm going to disable the two options of the name resolution for the Mac and the network, the transport name resolution. When they're enabled that means that Wireshark will do some mapping from the real Mac address to some user friendly for example identify the manufacturer and same with the transport name it will map port numbers to well-known port number applications like port 80 to HTTP. I want to show that the actual values rather than the human friendly values just for this example. Let's open that and we see a list of, we can see the list of packets we can go and inspect those packets one by one so at the top half of the screen we see the list of packets packet one two three and so on with the time that the packet was captured relative to the first packet that was captured packet one the source and destination addresses the protocol being used the packet length and some summary information about the characteristics of that packet and in the the second half of the screen we see the details of an individual packet where we can expand and see packet header fields the intention here is not to go through the features all the features of Weishark but just to show that the wireless LAN packets were captured of course you can apply different filters if you use the expression button you can go through and see all the different filters available some of them that may be of use may be to filter based on the wireless LAN frame type so there's a filter WLAN FC type and there are three types of frames in IEEE 802.11 there's management frames which are type zero control frames type one and data frames type two let's first look at the management frames and in fact there are subtypes as well so the management frames include the frames sent for discovering the access point for associating and authenticating with the access point so there are different frame types so let's add another condition here the subtype and you need to look up which ones which numbers correspond to which types of frames subtype 8 is the beacon frames so the beacon frames are sent periodically by different access points so in the set of several frames shown in the screen here we can see one that's sent by an access point with MAC address ending with A3 and when we expand the packet fields we can see a number of parameter values one of them is the extended server set ID that access point is advertising for in this case WSIT and other parameters such as the supported data rates and so on you can explore through the different fields that are available there and we see packet number fourteen there is a different access point but from the same extended server set that is there are two access points near my laptop or within range of my laptop within the WSIT ESS and if I look through there may be even other access points nearby other frame types or subtypes there's probe requests and probe responses which are frame subtypes four and five so we can see there some of the the probe requests which is a mobile device or a client initiating the discovery of an access point and then when an access point receives a probe request it may send a probe response which informs the client of that access point so we can see a single request or a single response and some requests captured there note that they are a different SSID here this THDT access point now what about data frames data frames are of frame type two control frames which include acknowledgement frame type one so let's show both of them and now you can see the wireless LAN data frames have been sent by other stations nearby my laptop they correspond to different protocols in work or different application or transport protocols that depending on what the clients are running for example different name services address resolution and if you scroll through you may be able to find even common applications like web requests and so on here we see two data frames and some acknowledgement frames that have been captured so you can look at the individual wireless frames which have been sent and nearby your laptop that's enough with Wireshark let's close that and to finish off let's turn our interface back into manage mode so that you can use your wireless wireless LAN interface for the normal operations again so I'll turn down the interface and now simply set the mode for that interface to be managed using idwconfig turn the interface up again if I can hit right the right keys on the keyboard and for example we can tell the wireless LAN to connect with an access point on a particular ESS ID and we're now associated back with it an access point and we could use DHClient to obtain an IP address or simpler enable networking again and let the network manager within the operating system do that automatically for us so that's a quick demo of using idwconfig to turn your wireless LAN interface into monitor mode to capture packets sent by others using TCP dump to perform the capture and to Wireshark to look at those packets that are captured.