[View full size image]
You can filter the beacon frames, replay TCP sessions that took place over the wireless link, sort the packets by protocols or timestamps, and so on. Please note that the beacon frame shown in the screenshot of Ethereal is reported as a
"malformed packet." In fact, there is nothing wrong with that beacon, but the Ethereal decoding engine is confused by a lack of ESSID in it (closed network).
Several examples of using Ethereal to flag out interesting 802.11 traffic are given in Chapter 15.
Apart from the Prismdump-based tools we have described, a variety of useful scripts and utilities exist and deserve mentioning. They work with the current libpcap library and can often utilize non-Prism chipset cards. For example,
Ssidsniff (http://www.bastard.net/~kos/wifi/) allows access point discovery with Prism or Cisco Aironet chipset cards and traffic logging in a pcap format traffic:
arhontus:~# ./ssidsniff -h
./ssidsniff: invalid option -- h Usage: ./ssidsniff <options>
-i <device> Set the device to listen on
-s <snaplen> pcap maximum snarfed length -f <filter> pcap filter to use
-c <maxcount> Set maximum packets to read, then exit -m <mode> Set mode of operation:
live: Use live network device and capture beacons.
Use <CR> to get current list. Default.
file: Open libpcap file and run through it; print all beacons.
acquire: Use live network device and dump out all beacons received in machine parseable format.
-g Geiger counter mode. Beep for every packet received.
-w <file> tcpdump capture file for everything received -W When capturing to file, only save 802.3 portion -r <file> tcpdump capture file to read packets from -l <runlog> Text file to keep findings. - is stdout.
-L When capturing to text file, use machine parseable format -v <verbosity> The higher, the noisier
-V version number
arhontus:~# ./ssidsniff -i wlan0 -g -v 2
./ssidsniff: datalink type 113 isn't 802.11 (105), continuing anyway ./ssidsniff: geiger mode on: EsounD sound module
./ssidsniff: Starting sniffing with filter= on wlan0 6 total, 3 beacons, 2 plaintext, 0 wep, 1 martians
The "martians" in the output refers to unknown format frames (e.g., frames corrupted by RF noise) and not green men bearing head-mounted, low-gain
omnidirectional antennas. The geiger mode lets you sense when more frames are passing using your ears and might be helpful in trying to find out where the
source of these frames could be.
Another utility to sniff a channel in the RFMON mode, using Prism II chipset cards only, is Scanchan from http://www.elixar.net/wireless/download/download.html.
Scanchan is used by airtraf, which we have already described. For an easy-to-use command-line utility for Hermes chipset cards, try Wavestumbler:
arhontus:~# ./wavestumbler --help
WaveStumbler v1.2.0 by Patrik Karlsson <patrik@cqure.net>
usage: ./wavestumbler [options]
-i* <interface>
-d* <delay in ms> (should be greater than 100) -r <reportfile>
-m reduce shown information to minimum -v be verbose (show debug info)
Wavestumbler, by default, tries to write into the /proc/hermes/eth1/cmds file and you might need to modify the tool if the corresponding file is not there (find /proc/ -name*hermes* helps). Another scanning utility for Hermes chipset cards is wlan-scan, which unfortunately comes as a precompiled binary:
arhontus:~# ./scan -h
Usage: ./scan <1|2> [<essid [rate]>|<auto>|<-{profile}>]
arhontus:~# ./scan 2 ESSID AgentSmith Link 52/92 (56%) Speed 2Mb
My HW 00:90:4B:06:15:4F () AP HW 00:02:2D:4E:EA:0D ()
Apart from the scan utility, wlan-scan also has a file with an OUI-to-manufacturer list and arpq parsing utility that might come in handy:
arhontus:~# ./arpq 00:00:39:BA:33:86 00:00:39:ba:33:86=Intel
Yet another utility and collection of scripts for command-line wardriving utilizing a Hermes chipset card is called Wardrive that comes from van Hauser of the The Hackers Choice (http://www.thehackerschoice.com). Wardrive was one of the very first wardriving tools to support GPS devices and sound signals on network discovery. Edit the wardrive.conf file and the shell scripts included to suit your system settings (wireless interface, GPS serial port, etc.). The sniff_wvlan.sh script runs tcpdump and Dug Song's Dsniff on the selected wireless interface:
#!/bin/sh
test -z "$DEV" && DEV="$DEVICE"
test -z "$DEV" && DEV=eth0 dsniff=dsniff.$$.sniff
tcpd=tcpdump.$$.sniff
dsniff -i $DEV -n -m -s 2500 > $dsniff &
tcpdump -l -i $DEV -n -s 2500 -w $tcpd ip or arp &
Ensure that you have these tools installed and they can be found in the $PATH.
The syntax of the Wardrive utility itself can be confusing:
arhontus:~# ./wardrive --help
Wardrive v2.1 by van Hauser / THC <vh@reptile.rug.ac.be>
Syntax: ./wardrive [-p serport] [-d interface] [-o file] [-I script]
[-i interval] [-l level] [-b level] [-B interval] [-G] [-v]
Options:
-d interface wavelan interface. [eth0]
-p serport seriell port the GPS device (NMEA) is connected to. [/dev/ttyS1]
-o file output file to append the data to. [./wardrive.stat]
-I script script to run initially to configure the wvlan card []
-R script script to reset wvlan card after node was found [reset_wvlan.sh]
-W print access point hwaddr and SSID via "iwconfig" [false]
-i interval interval to write GPS+wavelan data in seconds, 0 = amap. [1]
-l level only save data with >= this link level, 0 = all. [1]
-b level beep if >= this link level, 0 = disable. [5]
-B interval wait time in seconds before beeping again. [5]
-G ignore errors from GPS, dont exit. [false]
-v be verbose. [false]
However, running the scan via start_wardrive is easy once everything is configured:
arhontus:~# ./start_wardrive eth1 enable roaming
Wardrive: GPS could not be configured, disabled support and still running ...
Starting logging, saving to ./wardrive.stat; press Control-C to end logging ...
2003-05-21 20:09:12 00:00:00.0000? 00:00:00.0000? 0 0 188 134 0 4635 0 tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: listening on eth1 dsniff: listening on eth1
2003-05-21 20:09:13 00:00:00.0000? 00:00:00.0000? 0 56 214 114 0 4638 0
2003-05-21 20:09:13 00:00:00.0000? 00:00:00.0000? WINFO - SSID:"foobar net" Access Point:
00:02:2D:4E:EA:0D
2003-05-21 20:09:14 00:00:00.0000? 00:00:00.0000? 0 58 212 112 0 4643 0
2003-05-21 20:09:15 00:00:00.0000? 00:00:00.0000? 0 58 210 112 0 4647 0 2003-05-21 20:09:16 00:00:00.0000? 00:00:00.0000? 0 60 213 111 0 4651 0 2003-05-21 20:09:17 00:00:00.0000? 00:00:00.0000? 0 64 215 111 0 4655 0 2003-05-21 20:09:18 00:00:00.0000? 00:00:00.0000? 0 62 213 110 0 4659 0
Finally, for all you Perl lovers wanting to use (and perhaps dissect) something simpler than Wellenreiter, there is Perlskan. Perlskan uses the GPS::Garmin
module (included with the tool) for interfacing with the GPS device. Thus, the GPS receiver will have to send data in GRMN/GRMN and not NMEA unless the NMEA support is implemented in the GPS::Garmin module by the time this book is released. Perlskan was written for Hermes chipset cards and is easy to compile and use:
arhontus:~# perl perlskan
Usage: perlskan <ifname> <gps tty>
arhontus:~# perl perlskan eth1 eth1: 31337++
link = 0
freq = 2422000000 bitrate = 2000000
In the current example, Perlskan could not find our closed ESSID 802.11g LAN, which is depressing. If a Cisco Aironet card is used instead of the Hermes chipset, Perlskan still finds the access points, but shows them all as running on channel 1.
This is probably because of the Aironet card's default channel 1 setting, even though the card hops automatically between channels.