要用wireshark抓802.11的包 需要在linux下進行。
要在linux下抓802.11的包 需要在linux下安裝無線網卡驅動。
所以 在正式抓取之前先把這兩樣東西搞起來。
*沒有特殊說明,均使用root權限 sudo su*
一 安裝無線網卡驅動
無線網卡:DWA-160 USB無線網卡
DWA-160_B2_DPO_RT5572_LinuxSTA_2.6.1.3_20121022.tar.bz2 解壓=>
DWA-160_B2_DPO_RT5572_LinuxSTA_2.6.1.3_20121022文件夾
安裝步驟:
在DWA-160_B2_DPO_RT5572_LinuxSTA_2.6.1.3_20121022文件夾下執行以下命令:
# make
# make install
# cp RT2870STA.dat /etc/Wireless/RT2870STA/RT2870STA.dat
# cd ./os/linux
# insmod rt5572sta.ko
不出意外,到這里就可以連接到wifi了
二 安裝wireshark
wireshark的安裝非常簡單
# apt-get install wireshark
就可以了。
三 使用wireshark抓802.11封包
• 需要注意的是
因為工作的緣故,需要去監聽無線網路的封包,特別是IEEE802.11的管理控制訊框(frame ... 其實我還是比較喜歡直接叫作封包)。同事直接打開 wireshark 卻擷取 wifi 介面,卻發現聽到了一堆 ethernet 的訊框而聽不到 wifi 的訊框。為什麼呢?來看看 wireshark 的官網怎麼說:
If you're trying to capture network traffic that's not being sent to or from the machine running Wireshark or TShark, i.e. traffic between two or more other machines on an Ethernet segment, or are interested in 802.11 management or control packets, or are interested in radio-layer information about packets, you will probably have to capture in "monitor mode". This is discussed below.
Without any interaction, capturing on WLAN's may capture only user data packets with "fake" Ethernet headers. In this case, you won't see any 802.11 management or control packets at all, and the 802.11 packet headers are"translated" by the network driver to "fake" Ethernet packet headers.
答案揭曉,原來這是因為 wifi driver 會自動把 wireless frame 轉成 ethernet frame 後再給 kernel,這樣 kernel 裏面的 protocol stack 會比較好處理。
問題是,如果我想要聽到 wifi frame 的話,要怎麼做呢?答案很簡單,將 wifi adapter 設成 monitor mode。在 wifi adapter 中,通常都有 SSID/ESSID filter,所以就算把 wifi adapter 設定成為 promiscuous mode 也沒有用,因為還是無法收到非自己加入的 SSID 的 frame。那 monitor mode 呢?我們可以看看下面這句話:
In monitor mode the SSID filter mentioned above is disabled and all packets of all SSID's from the currently selected channel are captured.
最後的問題就是,如何在 Linux 裏面把無線網卡設定成 monitor mode了。步驟如下:
1. iw dev wlan0 interface add mon0 type monitor
2. ifconfig mon0 up
接下來就可以透過 mon0 這虛擬介面來聽封包了。要移除這介面的方法也很簡單:
1. iw dev mon0 interface del
所以要做完上述設定之后再打開wireshark
# wireshark
四 打開wireshark出現的異常解決
錯誤如下:
直接運行wireshark的話會報錯:
Lua: Error during loading:
[string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
解決方案:修改init.lua要對其進行修改,終端運行
sudo gedit /usr/share/wireshark/init.lua
倒數第二行原來為:
dofile(DATA_DIR.."console.lua")
改為:
--dofile(DATA_DIR.."console.lua")
五 對抓到的802.11包進行過濾
在Expression下Field name為
"802.11 MGT - IEEE 802.11 wireless LAN management frame"
"802.11 Radiotap - IEEE 802.11 Radiotap Capture header"
"IEEE 802.11 - IEEE 802.11 wireless LAN"
"IEEE 802.11 Aggregate Data - IEEE 802.11 wireless LAN aggregate frame"
"WLANCERTEXTN - Wlan Certificate Extention"
"Wi-Fi P2P - WiFi Peer-to-Peer"
"WiMax (wmx) - WiMax protocol"
...
中進行查找所需條件
下面列出一些比較常用的條件表達式
wlan.da - Destination address (Destination Hardware Address)
wlan.sa - Source address (Source Hardware Address)
wlan.addr - Source or Destination address (Source or Destination Hardware Address)
wlan.ra - Recevier address (Receiving Station Hardware Address)
wlan.ta - Transmitter address (Transmitting Hardware Address)
wlan.bssid - BSS id (Basic Service Set ID)
wlan_mgt.ssid - SSID (Indicates the identity of an ESS or IBSS)
wlan.fc.type_subtype - Type/Subtype (Type and subtype combined (first type: type, second type:subtype))
六 簡單的802.11封包分析
至此 就可以自如的進行抓包了
下面是一些簡單的分析
至於高級一點的包的分析,等我學會了再回來寫