From Noah.org
Jump to navigationJump to search

Packet Sniffing WiFi

First, you need a WiFi adapter that support monitor mode. Usually you can tell if monitor mode is supported just by running the first step below. If it fails then you need to find another WiFi adapter.

Step one: Put the adapter into monitor mode

# ifconfig wlan0 down
# iwconfig wlan0 mode monitor
# ifconfig wlan0 up
# iwconfig wlan0
wlan0     IEEE 802.11abg  Mode:Monitor  Frequency:2.412 GHz  Tx-Power=15 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

Step two: Start Wireshark... Select the wireless adapter you want to monitor (in this example, wlan0). In the filter you may want to look at just the IP communication between two devices. In this case, I was trying to figure out how my iPod Touch was talking to a digital multimeter that transmits its measurement data over WiFi. Where 00:06:66:13:d4:a9 is the MAC address of the DMM device and 40:d3:2d:e8:7d:45 is the MAC address of my iPod Touch. Note that if you start capturing without a filter and then attempt to use Wireshark's prepare as filter or apply as filter feature it always fails. It creates the initial filter as eth.src == 00:06:66:13:d4:a9, which doesn't match a WiFi frame. I found that matching the wlan.bssid against the MAC address works.

(wlan.bssid == 00:06:66:13:d4:a9  || wlan.bssid == 40:d3:2d:e8:7d:45 ) && ip

Note: you don't need to be in monitor mode to sniff the traffic between your own machine and another device over WiFi. You only need to do this if you want to be setup as a third party sniffing traffic between two other devices.