Taking traces in a Wireless LAN can be quite a tricky thing if you are using Windows. Except for a few expensive programs which can do the job, other free tools like Wireshark can only trace what the network driver forwards to the operating system. Unfortunately, Windows network drivers only forward pseudo Ethernet frames to the OS and hide all the nitty gritty Wireless LAN details. An alternative to tracing a Wireless LAN with your PC is to let an off the shelf Wireless LAN access point record all packets and save them to a file which can then be analyzed on the PC. Cost of the solution: 60 euros and a bit of time to set it up.
In this and the next couple of blog entries I’ll give an overview of how to collect packets in a Wireless LAN and how to analyze them on a Windows PC with such a setup. If you don’t know much yet about the basic technology behind Wifi, I can warmly recommend chapter 4 of my book.
The Wifi tracing environment consists of the following components:
- A PC or notebook running Windows with an Ethernet port.
- A Linksys WRT54G or WRT54GL wifi router (picture above, for details see below). The WRT54G sells for around 50-60 euros on eBay. Several hardware versions exist, not all of them are suitable. For details, see the next blog entry.
- OpenWRT, a free Linux operating system for the wifi router (open source)
- X-WRT, a better web interface for OpenWRT (open source)
- Kismet for OpenWRT (open source)
- CIFS driver for OpenWRT to be able to mount a directory of your windows computer on the router for file export (open source)
- Wireshark for Windows (open source)
- Putty for Windows, a free telnet/ssh shell for Windows
With this setup, tracing a Wirless LAN can be done as follows: In a first step, the native software of the wifi router has to be replaced with OpenWRT, X-WRT, Kismet and a CIFS driver. Once the setup is running, Kismet is used on the router to collect all 802.11 wifi packets the router receives and to save them to a file. As there is not a lot of room on the router for the file it needs to be stored elsewhere. This is done connecting the router and a Windows PC with an Ethernet cable and by mounting a Windows directory on the router. No extra software is required on the Windows PC. On the wifi router the CIFS driver is used to mount the directory. The file Kismet creates in the shared directory can then be analyzed using Wireshark for Windows. The picture on the left shows how Wireshark decodes an 802.11 beacon frame recorded by Kismet.
Part 2 of this series will pick up at this point and explain how to get started, which wifi routers are suitable for this project, how the software is installed, how the Windows directory is mounted on the router and how to get started with the router.
Thanks to the new native WiFi (NWF) driver model in Windows Vista, tracing has become *much* more capable. Anyone can write a sniffer, without the need for a custom miniport driver, by leveraging the public NWF APIs. Take a look on MSDN: http://msdn2.microsoft.com/en-gb/library/ms706556.aspx.