About a year ago I figured out how to use a Linksys WRT54 Wifi router and Wireshark for Wifi packet tracing and reported about it here. Now I have found another inexpensive tool for the job, which is equally helpful.
Background: The problem with Wifi packet tracing and Windows is that the wireless card drivers do not report the Wifi specific headers and also can not be set into promiscuous mode, which required to pick up packets from other devices in the network. On Linux, things are a lot easier, as drivers forward the required information.
I recently bought a Linux based eeePC, for quite different purposes, but now stumbled over instructions how to make Wireshark work with it and how to set the Wifi chip into promiscuous mode. I gave it a try today and it works like a charm. I love Wikis!
Here are some additional hints I unfortunately can’t add to the Wiki as a login is required…:
- Starting with Wireshark 0.99.5, WPA decryption is supported with manual key input. Very helpful for tracing real networks. Note: While I have this version on my Windows PC, the Debian packet manager only installed 0.99.4 on the eeePC. As a consequence, I have to wait with WPA decryption until I open the tracefile on the Windows PC.
- For the WPA decryption to work (later on on the Windows PC), the eeePC’s network card needs to be set to a network without encryption before promiscuous mode is activated. Otherwise, the Wifi chip seems to reuse the previous encryption key and tries to decrypt the packets instead of delivering them as they are to higher layers.
I’ve already made some very interesting discoveries when tracing my N95 in idle mode with the SIP VoIP client active. Lots of power save, polling and other Wifi management messages going back and forth which can’t be seen when tracing the Ethernet layer only. More about that in a future post.
Hi Martin,
I read your article with interest as I am starting to look into WLANs and there is no better way of learning than looking at some traces. I don’t have an eeePC but I do have a Linksys router and the link to your older entry was very useful. I just have a couple of questions about your approach that I was hoping you could help me with. As I understand you run both the kismet server and client on the Linksys AP. And by doing so can you still use the Linksys as an AP or does it become just a passive sniffer? thanks
Hi Mark,
I have to admit I am not quite sure anymore. I think I set the Linksys into client mode but deactivated all encryption settings and used a dummy SSID so it wouldn’t attach to the network I wanted to monitor. Further, you have to set the channel to a fix value, otherwise it might start hopping.
I am afraid you have to experiment a bit here. The eeePC approach is a lot simpler 🙂
Cheers,
Martin
Update: To install Wireshark 1.0.0.1, replace the stable debian release line in the package manager sources.list file with the one described here:
http://packages.debian.org/sid/i386/wireshark/download
WARNING: DO THIS IS AT YOUR OWN RISK. The procedure replaces lots of stuff on the eeePC! Afterwards, openoffice didn’t run anymore and I had to update it to version 2.4 as well (atp-get install openoffice.org)