About a year ago I figured out how to use a Linksys WRT54 Wifi router and Wireshark for Wifi packet tracing and reported about it here. Now I have found another inexpensive tool for the job, which is equally helpful.
Background: The problem with Wifi packet tracing and Windows is that the wireless card drivers do not report the Wifi specific headers and also can not be set into promiscuous mode, which required to pick up packets from other devices in the network. On Linux, things are a lot easier, as drivers forward the required information.
I recently bought a Linux based eeePC, for quite different purposes, but now stumbled over instructions how to make Wireshark work with it and how to set the Wifi chip into promiscuous mode. I gave it a try today and it works like a charm. I love Wikis!
Here are some additional hints I unfortunately can’t add to the Wiki as a login is required…:
- Starting with Wireshark 0.99.5, WPA decryption is supported with manual key input. Very helpful for tracing real networks. Note: While I have this version on my Windows PC, the Debian packet manager only installed 0.99.4 on the eeePC. As a consequence, I have to wait with WPA decryption until I open the tracefile on the Windows PC.
- For the WPA decryption to work (later on on the Windows PC), the eeePC’s network card needs to be set to a network without encryption before promiscuous mode is activated. Otherwise, the Wifi chip seems to reuse the previous encryption key and tries to decrypt the packets instead of delivering them as they are to higher layers.
I’ve already made some very interesting discoveries when tracing my N95 in idle mode with the SIP VoIP client active. Lots of power save, polling and other Wifi management messages going back and forth which can’t be seen when tracing the Ethernet layer only. More about that in a future post.