using wireshark to sniff wifi monitors - candela … · using wireshark to sniff wifi monitors ......

http://www.candelatech.comsales@candelatech.com+13603801618[PST,GMT-8]

UsingWiresharktoSniffWiFiMonitors

Goal:SniffwirelesstrafficfromaLANforgeradiousingWiresharkandaWiFiMonitorport.

ThebestwaytosniffwirelesspacketsviaWiresharkinLANforgeisfromamonitorportthatisonitsownradio(nootherAP,STAs,etc.).Thisexamplewillwalkthroughthemonitorportcreation,sniffingthemonitorport,aswellasWiresharkfilterrecommendations.

ThisexampleusesaLANforgeCT523systembuttheprocedureshouldworkonaCT524,CT525,orsimilarsystem.

1. Createamonitorport.A. InthePortMgrtab,selectawiphydevicethatyouwishtosniffwith(thisexamplewillusewiphy1,

anath10kradio).

NetworkTestingandEmulationSolutions

B. Ifthewiphydeviceisdown,clicktheuparrowtoenableit.

C. ClickModify.

A. Selectthechannelyouwishtosniff.Channel36willbeusedforthistest.

B. ClickOK.

D. BackinthePortMgrtab,withthewiphydevicestillselected,clickCreate.

A. SelecttheWiFiMonitoroptionatthetop.

B. SettheQuantityto1.

C. SettheSTAIDto0.D. ClickApplyandclosetheCreatePortwindow.

E. InthePortMgrtabagain,modifymoni0.

A. YoucandisableHT40andHT80hereifneeded.

B. ClickOKtoclosethewindow.

2. Forthiscurrentsetup,trafficwillbegeneratedwithalayer3UDPconnectionbetweentwostations.FormoreinformationseeGeneratingTrafficforWLANTesting

3. UseWiresharktosniffmoni0.A. IfyouarerunningtheLANforgeGUIfromaWindowsmachinewithoutxserverinstalled,youwill

needtoconnectremotelytotheLANforgesystemviardesktoporvnc.

A. Toconnectviardesktop,typethefollowingcommandintoaconsole(replaceLANforge-IPwiththeIPofyourLANforgesystem):rdesktopLANforge-IP

I. Thelogininfoisusername/passwordlanforge/lanforge

B. Toconnectviavnc,typethefollowingcommandintoaconsole(replaceLANforge-IPwiththeIPofyourLANforgesystem.Don'tforgettoaddthe':1'aftertheIP):vncviewer[LANforge-IP]:1Thepasswordislanforge.

C. OnceyouhaveaccessedtheLANforgesystemviardesktoporvnc,opentheLANforgeGUIwiththedesktopiconshownbelow.

B. Selectmoni0inthePortMgrtab.

C. ClicktheSniffPacketsbutton.Wiresharkwillnowopenandautomaticallystartscanningforpackets.Ifyougetawindowthatwarnsaboutrunningasuserroot,clickOK.

A. Touseafilter,simplyaddthefilterconstraintstothefiltertextboxasseenbelowandclickApplytotheright.ThebelowscreenshothaswiresharkfilteringonaspecificIP.

B. Ifyou'dliketoonlyseetrafficto/fromasingleAPusethefilterwlan.addr==[bssid]

D. TherearemanyfiltersthatcanbeusedinWireshark.Somehandyonesinclude:IP:ip.addr==x.x.x.xwlanMAC:wlan.addr==xx:xx:xx:xx:xx:xxAssociationrequestwlan.fc.type_subtypeeq0Associationresponsewlan.fc.type_subtypeeq1Proberequestwlan.fc.type_subtypeeq4Proberesponsewlan.fc.type_subtypeeq5Beaconwlan.fc.type_subtypeeq8Authenticationwlan.fc.type_subtypeeq11Deauthenticationwlan.fc.type_subtypeeq12

E. Filterscanbecombinedtospecifyifpacketsshouldmatchallfilters(with&&)oranyfilters(with||).Forexample,ifyouwantedtoviewpacketsthatonlycontainbothIPs1.1.1.1and2.2.2.2youcouldusethefollowing:ip.addr==1.1.1.1&&ip.addr==2.2.2.2Or,ifyouwanttoseeallpacketscontaining1.1.1.1andallpacketscontaining2.2.2.2,youcouldusethefollowing:ip.addr=1.1.1.1||ip.addr==2.2.2.2

F. Youcanvisithttps://wiki.wireshark.org/DisplayFiltersformoretipsonfilters.Ahandy'cheatsheet'withmostfilterscanbefoundhere.

CandelaTechnologies,Inc.,2417MainStreet,Suite201,Ferndale,WA98248,USAwww.candelatech.com|sales@candelatech.com|+1.360.380.1618