Transcription
ethereal ch06.qxd11/8/065:07 PMPage 1Chapter 6Wireless Sniffingwith WiresharkSolutions in this chapter: Techniques for Effective Wireless Sniffing Understanding Wireless Card OperatingModes Configuring Linux for Wireless Sniffing Configuring Windows for Wireless Sniffing Using Wireless Protocol Dissectors Useful Wireless Display Filters Leveraging Wireshark Wireless AnalysisFeatures Summary Solutions Fast Track Frequently Asked Questions6:1
ethereal ch06.qxd6:211/8/065:07 PMPage 2Chapter 6 Wireless Sniffing with WiresharkIntroductionWireless networking is a complex field. With countless standards, protocols, andimplementations, it is not uncommon for administrators to encounter configurationissues that require sophisticated troubleshooting and analysis mechanisms.Fortunately, Wireshark has sophisticated wireless protocol analysis support tohelp administrators troubleshoot wireless networks. With the appropriate driver support, Wireshark can capture traffic “from the air” and decode it into a format thathelps administrators track down issues that are causing poor performance, intermittent connectivity, and other common problems.Wireshark is also a powerful wireless security analysis tool. Using Wireshark’sdisplay filtering and protocol decoders, you can easily sift through large amounts ofwireless traffic to identify security vulnerabilities in the wireless network, includingweak encryption or authentication mechanisms, and information disclosure risks.Youcan also perform intrusion detection analysis to identify common attacks againstwireless networks while performing signal strength analysis to identify the locationof a station or access point (AP).This chapter introduces the unique challenges and recommendations for trafficsniffing on wireless networks. We examine the different operating modes supportedby wireless cards, and configure Linux and Windows systems to support wirelesstraffic capture and analysis using Wireshark and third-party tools. Once you have mastered the task of capturing wireless traffic, you will learn how to leverage Wireshark’spowerful wireless analysis features, and learn how to apply your new skills.Challenges of Sniffing WirelessTraditional network sniffing on an Ethernet network is fairly easy to set up. In a sharedenvironment, an analysis workstation running Wireshark starts a new packet capture,which configures the card in promiscuous mode and waits until the desired amount oftraffic has been captured. In a switched environment, you need to configure a span portthat mirrors the traffic sent to other stations, before initiating the packet capture.In both of these cases, it is easy to initiate a packet capture and start collectingtraffic for analysis. When you switch to wireless analysis, however, the process oftraffic sniffing becomes more complicated and requires additional decisions up frontto best support the analysis you want to perform.Selecting a Static ChannelWhere a wired network offers a single medium mechanism for packet capture (i.e.,the wire), wireless networks can operate on multiple wireless channels using differentwww.syngress.com
ethereal ch06.qxd11/8/065:07 PMPage 3Wireless Sniffing with Wireshark Chapter 6frequencies in the same location. A table of wireless channel numbers and the corresponding frequencies is listed in Table 6.1. Even if two wireless users are sittingside-by-side, their computers may be operating on different wireless channels.Table 6.1 Wireless Frequencies and ChannelsFrequency Channel NumberFrequencyChannel HzGHzGHzGHzIf you want to analyze the traffic for a specific wireless AP or station, you mustidentify the channel or frequency used by the target device, and configure yourwireless card to use the same channel before initiating your packet capture.This isbecause wireless cards can only operate on a single frequency at any given time. Ifyou wanted to capture traffic from multiple channels simultaneously, you wouldneed an additional wireless card for every channel you wanted to monitor.Using Channel HoppingIf you want to capture traffic for a specific station, how do you locate the channelnumber that it is operating on? One technique is to use channel hopping to rapidlyscan through all available wireless channels until the appropriate channel number isidentified. With channel hopping, the wireless card is still only operating on a singlefrequency at any given time, but is rapidly switching between different channels, thusallowing Wireshark to capture any traffic that is present on the current channel.Fortunately, Wireshark operates independently of the current channel selection;therefore, it is not necessary to stop and restart the packet capture before eachwww.syngress.com6:3
ethereal ch06.qxd6:411/8/065:07 PMPage 4Chapter 6 Wireless Sniffing with Wiresharkchannel hop. Change to the desired channel while Wireshark is running andWireshark will continue to collect traffic.Unfortunately, you cannot rely on channel hopping for all of your wireless trafficsniffing needs. Channel hopping will cause you to lose traffic, because you arerapidly switching channels. If your wireless card is configured to operate on channel11 and you hop to another channel, you will not be able to “hear” any traffic that isoccurring on channel 11 until you return as part of the channel-hopping pattern. Asa result, channel hopping is not a useful technique for analyzing traffic for a specificAP or station, but it can be useful to identify the channel the network is operatingon, which can be used to set a static channel assignment.Range in Wireless NetworksAnother unique characteristic of Wireshark is the range between the capture stationand the transmitting device(s). When capturing wireless traffic, the range betweenthe capture station and the transmitter is significant, and must be accounted for toprovide the most reliable traffic collection.If the capture station is too far away from one or more transmitters, it is unableto “hear” the wireless traffic. If the capture station is too close to another transmitting station, the radio interface may become overwhelmed with too much signal,thus resulting in corrupted traffic. Placing the station near the transmitter no closerthan 3 feet is the most desirable location for achieving optimal traffic capture.Youcan achieve satisfactory results for a wireless packet capture from further away, butyou will lose traffic from the capture if there is a significant distance between thecapture station and the transmitter(s).Interference and CollisionsAnother challenge of sniffing wireless networks is the risk of interference and lostpackets. Unlike an Ethernet network that can transmit and monitor the networksimultaneously, wireless cards can only receive or transmit asynchronously. As a result,wireless networks must take special precautions to prevent multiple stations fromtransmitting at the same time. While these collision-avoidance mechanisms workwell, it is still possible to experience collisions between multiple transmitters on thesame channel, or to experience collisions with wireless local area networks (LANs)and other devices using the same frequency (e.g., cordless phones, baby monitors,microwave ovens, and so on).When two devices transmit simultaneously within range of the sniffing station, thetransmission becomes corrupted and is rejected by the receiver as an invalid packet.After waiting random back-off intervals, the two stations repeat their transmission, thuswww.syngress.com
ethereal ch06.qxd11/8/065:07 PMPage 5Wireless Sniffing with Wireshark Chapter 6indicating they are attempting to transmit the same information again.This is normalactivity in a wireless LAN, but presents a challenge to the sniffing station.When capturing traffic on a wireless network, there is no guarantee that youcaptured 100 percent of the traffic. Some traffic may have become corrupted intransit. In other cases, your capture station may be positioned such that it receivesvalid frames before they become corrupt en-route to the destination host.This forcesthe transmitting station to re-transmit the corrupted packets, which causes the capture station to have multiple copies of the same packet in the capture.Recommendations for Sniffing WirelessNow that you understand some of the limitations and challenges in sniffing wirelessnetworks, you can apply some recommendations to achieve the best fidelity in wireless packet captures: Locate the Capture Station Near the Source When initiating apacket capture, locate the capture station close to the source of the wirelessactivity you are interested in (i.e., an AP or a wireless station). Disable Other Nearby Transmitters If you are using an external wireless card (e.g., a Personal Computer Emulator Card [PCCard]) for sniffingtraffic, and you have a built-in card in your laptop, it is common to experience lost traffic on the sniffing card due to interference from the built-incard.To eliminate this factor and achieve a more accurate packet capture,disable any built-in wireless transmitters on the capture station during thepacket capture, including Institute of Electrical & Electronics Engineers(IEEE) 802.11 interfaces and Bluetooth devices. Reduce CPU Utilization While Capturing If your host experiencesexcessive central processing unit (CPU) utilization during a packet capture,you may experience packet loss in the wireless capture (e.g., it is not agood idea to burn a DVD while capturing wireless traffic).To preventpacket loss, try to reduce your CPU utilization when capturing traffic withany sniffer software. Match Channel Selection If you take a comprehensive packet capture ofa wireless network, make sure your wireless card is sniffing on the samechannel as the target network. If you are channel hopping during a packetcapture, you will inevitably lose traffic from your target network. Only usechannel hopping to discover the available networks; focus your capture on asingle channel. Note that while you may capture some traffic from a nearbywww.syngress.com6:5
ethereal ch06.qxd6:611/8/065:07 PMPage 6Chapter 6 Wireless Sniffing with Wiresharkchannel (e.g., you see traffic from channels 1 and 6 when listening onchannel 3), the captured traffic will be sporadic and incomplete. Match Modulation Type With the progression of different IEEE 802.11Physical layer standards, different modulation mechanisms have been developed to accommodate faster data rates. Ensure the supported modulationmechanism for your wireless card matches the target network you are targeting. For example, an IEEE 802.11b wireless card sniffing an IEEE802.11g network will capture some backward-compatible modulatedtraffic, but may miss other traffic modulated for an 802.11g network. If indoubt, ensure the card you are using for traffic capture supports all the standard modulation mechanisms. Currently, this includes an IEEE 802.11a/b/gcard, but will also include IEEE 802.11n cards with MIMO (multipleinput, multiple output) technology in the future.Understanding Wireless Card ModesBefore we start wireless sniffing using Wireshark, it is helpful to understand the different operating modes supported by wireless cards. Most wireless users only usetheir wireless cards as a station to an AP. In managed mode, the wireless card anddriver software rely on a local AP to provide connectivity to the wireless network.Another common mode for wireless cards is ad-hoc mode (or Independent BasicService Set [IBSS] mode.Two wireless stations that want to communicate with eachother directly can do so by sharing the responsibilities of an AP for a limited subsetof wireless LAN services. Ad-hoc mode is used for short-term connectivity betweenstations, when an AP is not available to provide connectivity.Many wireless cards also support master mode, where the wireless card providesthe services of an AP when paired with the appropriate software. Managed modeallows you to configure your laptop or desktop system as an AP for providing connectivity to other wireless stations.Finally, wireless cards support monitor mode functionality. When configured in monitor mode, the wireless card stops transmitting data and sniffs the currently configuredchannel, reporting the contents of any observed packets to the host operating system.This is the most useful mode of operation for analysis when using Wireshark, becausea wireless card configured in monitor mode reports the entire contents of wirelesspackets, including header information and the encrypted or unencrypted data contents. When in monitor mode, the wireless card and driver reports the wireless frames“as-is,” giving the most accurate view of the wireless activity for the selected channel.www.syngress.com
ethereal ch06.qxd11/8/065:07 PMPage 7Wireless Sniffing with Wireshark Chapter 6In order to analyze a wireless network effectively using Wireshark, you needto configure your wireless card to operate in monitor mode on the appropriatechannel, and then start a packet capture. Unfortunately, this is easier said thandone. Because the majority of wireless card users use their wireless cards in managed or ad-hoc mode, wireless driver developers may not include support formonitor mode access. In the case of Linux, many drivers support monitor mode.Those Linux drivers that do not natively support monitor mode are often“patched” by other interested users or developers in order to access monitormode functionality. However, in the case of Windows, drivers are closed-source,which prevents anyone except the driver developer from supplying monitor modefunctionality. However, some commercial options exist for Windows that allowyou to leverage the monitor mode support in your wireless card with customdriver software.Next, we examine the steps necessary to configure your wireless card to supportmonitor mode access on Linux and Windows systems.Getting Support for Monitor Mode LinuxIn order to begin sniffing wireless traffic with Wireshark, your wireless card must bein monitor mode. Wireshark does not do this automatically; you have to manuallyconfigure your wireless card before starting your packet capture. However, the commands you need in order to configure the card in monitor mode can differ basedon the type of wireless card and driver that you are using.This section discusseshow to complete this step based on the most common wireless card and drivercombination for Linux.TIPDetermining the type of wireless card you have isn’t always easy. Whilethere are only a handful of manufacturers that make the wirelesschipset hardware, multiple vendors re-brand the cards, thus making itdifficult to identify what the actual chipset is. One resource for identifying the chipset from the card manufacturer is available atwww.linux-wless.passys.nl. If your specific card isn’t listed here you cansearch using Google with the card name and keyword “chipset” (e.g.,WPC55AG chipset).www.syngress.com6:7
ethereal ch06.qxd6:811/8/065:07 PMPage 8Chapter 6 Wireless Sniffing with WiresharkLinux Wireless Extensions Compatible DriversMost wireless drivers for Linux systems use the Linux Wireless Extensions interface,thus providing a consistent configuration interface for manipulating the wirelesscard. First, let’s identify the wireless driver interface name by running the wirelesscard configuration utility iwconfig with no parameters: iwconfigeth0no wireless extensions.lono wireless extensions.eth1IEEE 802.11bESSID:"Beacon Wi-Fi Network"Mode:ManagedFrequency:2.462 GHzBit Rate:11 Mb/sRetry limit:7Tx-Power 20 dBmRTS thr:offAccess Point: 00:02:2D:8B:70:2ESensitivity 8/0Fragment thr:offPower Management:offLink Quality 50/100Rx invalid nwid:0Signal level -71 dBmRx invalid crypt:0Tx excessive retries:0Noise level -86 dBmRx invalid frag:0Invalid misc:286Missed beacon:5NOTEIt is recommended that users take advantage of the Linux 2.6 kernelwhenever possible. Most Linux distributions install their wireless toolspackages for iwconfig and iwpriv by default; you will need to installthese tools manually if they are not included with your default distribution. Use the package management utilities that come with your Linuxdistribution to search for packages with the name “wireless-tools” toidentify installation options. Information specific to older Debian, SuSE,RedHat, and Mandrake distributions is available atwww.hpl.hp.com/personal/Jean Tourrilhes/Linux/DISTRIBUTIONS.txt.From this output, we determine that interfaces eth0 and lo do not support LinuxWireless Extensions; however, Interface eth1 does support wireless extensions. Fromthe output, we can see that the card is currently in managed mode and is associatedwith an IEEE 802.11b network with the Service Set Identifier (SSID) “Beacon Wi-FiNetwork” at 2.462 GHz (channel 11).www.syngress.com
ethereal ch06.qxd11/8/065:07 PMPage 9Wireless Sniffing with Wireshark Chapter 6Since we want to use this wireless interface for wireless traffic sniffing, we needto place the card in monitor mode. In order to make changes to the wireless cardconfiguration, we need to be the root user. Become the root user by running the sucommand and supplying the root user password: suPassword: enter root password#After becoming the root user, you can use the iwconfig utility to configure thecard for monitor mode, by specifying the interface name followed by mode monitor:# iwconfig eth1 mode monitorAfter placing the card in monitor mode, run the iwconfig utility with the interface name as the only command-line argument, to verify the configuration change:# iwconfig eth1eth1unassociated ESSID:off/anyMode:Monitor Channel 0 Access Point: 00:00:00:00:00:00Bit Rate:0 kb/sRetry limit:7Tx-Power 20 dBmRTS thr:offSensitivity 8/0Fragment thr:offEncryption key:offPower Management:offLink Quality:0 Signal level:0 Noise level:0Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0Tx excessive retries:0 Invalid misc:7007Missed beacon:0In this output, we see that the mode has changed from managed to monitor. Atthis point, the wireless card is operating in monitor mode. Next, we need to makesure the interface is in the “up” state with the ifconfig utility, again using the interfacename as the only command-line parameter:# ifconfig eth1eth100-00Link encap:UNSPEC HWaddr 00-13-CE-55-B5-EC-BC-A9-00-00-00-00-00-00BROADCAST MULTICAST MTU:1500 Metric:1RX packets:18176 errors:0 dropped:18462 overruns:0 frame:0TX packets:123 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)Interrupt:11 Base address:0x4000 Memory:a8401000-a8401fffwww.syngress.com6:9
ethereal ch06.qxd6:1011/8/065:07 PMPage 10Chapter 6 Wireless Sniffing with WiresharkThe first indented line of text following the interface name and hardwareaddress (HWaddr) reports the operating flags for the interface. In this example, theinterface is configured to accept broadcast and multicast traffic.The interface is notcurrently in the up state, due to the lack of the UP keyword. Modify the interfaceconfiguration by placing the interface in the up state, then examine the interfaceconfiguration properties as shown below:# ifconfig eth1 up# ifconfig eth1eth100-00Link encap:UNSPEC HWaddr 00-13-CE-55-B5-EC-3C-4D-00-00-00-00-00-00UP BROADCAST MULTICAST MTU:1500 Metric:1RX packets:34604 errors:0 dropped:34583 overruns:0 frame:0TX packets:232 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:18150 (17.7 Kb) TX bytes:0 (0.0 b)Interrupt:11 Base address:0x4000 Memory:a8401000-a8401fffIn this output we see that the interface is now in the up state and is ready tobegin sniffing wireless traffic.NOTEUnlike the iwconfig tool, ifconfig does not understand the properties ofan interface that is in monitor mode. When associated to a wireless network, the interface appears as a standard Ethernet interface; however,while in monitor mode, it appears as an unknown or unspecified linkencapsulation mechanism. As a result, ifconfig displays a default of 16bytes to represent the Media Access Control (MAC) address of theunspecified interface encapsulation (denoted with the string UNSPEC). Inwhat appears to be a bug in the ifconfig tool, 8 bytes are printed to represent the MAC address, followed by 8 NULL bytes. The first 6 bytes represent the actual MAC address of the wireless card, followed by 2 bytesof uninitialized memory.MADWIFI 0.9.1 Driver ConfigurationThe Multiband Atheros Driver for WiFi (MADWIFI) supports wireless cards basedon the popular Atheros chipsets supporting IEEE 802.11a, IEEE 802.11b, and IEEEwww.syngress.com
ethereal ch06.qxd11/8/065:07 PMPage 11Wireless Sniffing with Wireshark Chapter 6802.11g wireless networks. While this driver supports monitor mode access, it doesnot support the configuration of monitor mode access using the iwconfig utility.Instead, the MADWIFI developers include a custom tool for configuring wirelesscard properties called the wlanconfig utility.The MADWIFI drivers are unique in that they support multiple interfaces onthe same wireless card known as Virtual Access Points (VAPs). Each VAP appears asits own interface name with a single default VAP configured in managed mode. Inorder to create an interface in monitor mode, however, we need to remove all VAPson the local system with the wlanconfig utility. First, examine the list of wirelessdevices on the system using the iwconfig utility with no command-line arguments:# iwconfigwifi0no wireless extensions.ath0IEEE 802.11b ESSID:""Mode:Managed Channel:0 Access Point: 00:00:00:00:00:00Bit Rate:0 kb/sRetry:offTx-Power:0 dBmRTS thr:offSensitivity 0/3Fragment thr:offEncryption key:offPower Management:offLink Quality 0/94 Signal level -95 dBm Noise level -95 dBmRx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0Tx excessive retries:0 Invalid misc:0Missed beacon:0NOTEThe MADWIFI drivers use a “master” interface with the naming convention wifiX, where X is 0 for the first wireless card, 1 for the second wireless card, and so on. The master interface is used to create one or morevirtual interfaces with the wlanconfig utility. In most cases, you will onlyrefer to the master interface when creating or destroying virtual interfaces. You will use the virtual interface for all other tasks, includingsniffing wireless traffic with Wireshark, or accessing a wireless networkas a station.From this output we can see two interfaces; wifi0 which does not support wireless extensions, and ath0 which does.The ath0 interface is named for the Atheroswireless chipset (ath) which is created by default in managed mode. In order towww.syngress.com6:11
ethereal ch06.qxd6:1211/8/065:07 PMPage 12Chapter 6 Wireless Sniffing with Wiresharkconfigure an interface in monitor mode, we must delete or “destroy” this interfaceusing the wlanconfig utility:# wlanconfig ath0 destroy# iwconfigwifi0no wireless extensions.From the output of the iwconfig utility, we see that the ath0 interface is no longerpresent. Next, we re-create the ath0 interface with the wlanconfig utility, this timeindicating that the interface should be created in monitor mode, referencing thewifi0 interface as the master interface:# wlanconfig ath0 create wlandev wifi0 wlanmode monitorath0# iwconfigwifi0no wireless extensions.ath0IEEE 802.11b ESSID:""Mode:Monitor Channel:0 Access Point: 00:00:00:00:00:00Bit Rate:0 kb/sRetry:offTx-Power:0 dBmRTS thr:offSensitivity 0/3Fragment thr:offEncryption key:offPower Management:offLink Quality 0/94 Signal level -95 dBm Noise level -95 dBmRx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0Tx excessive retries:0 Invalid misc:0Missed beacon:0Next, we must ensure the ath0 interface is in the up state using the ifconfig utility,as shown below:# ifconfig ath0 up# ifconfig ath0ath000-00Link encap:UNSPEC HWaddr 00-20-A6-4F-01-40-BC-9D-00-00-00-00-00-00UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)From the output of the ifconfig utility we see that the interface is now in the upstate and is ready to start sniffing wireless traffic.www.syngress.com
ethereal ch06.qxd11/8/065:07 PMPage 13Wireless Sniffing with Wireshark Chapter 6Capturing Wireless Traffic - LinuxOnce your wireless card in Linux has been placed in monitor mode, you are readyto start capturing wireless traffic. Recall that wireless cards can only capture trafficon a single channel at any given time. If you know the wireless channel you want tocapture traffic on, configure your wireless card to listen on that channel using theiwconfig utility:# iwconfig ath0 channel 1# iwconfig ath0Replace ath0 with the name of your wireless interface, and the number 1 withthe channel number you want to capture traffic on. As seen from the output of theiwconfig command, the card is currently configured to listen on 2.412 Gigahertz(GHz) (channel 1).If you don’t know the target channel number you want to use to capture traffic,you can configure your wireless card to perform channel hopping. Unfortunately,Linux doesn’t come with a built-in tool for channel hopping; however, you can configure channel hopping manually with a short shell script. Enter the text found inCode 6.1 into a short shell script using your favorite text-editor. Line numbers havebeen added for clarity; do not enter the line numbers when creating this script.Code 6.1 Channel Hopping Shell Script1. #!/bin/bash2. IFACE ath03. IEEE80211bg "1 2 3 4 5 6 7 8 9 10 11"4. IEEE80211bg intl " IEEE80211b 12 13 14"5. IEEE80211a "36 40 44 48 52 56 60 64 149 153 157 161"6. IEEE80211bga " IEEE80211bg IEEE80211a"7. IEEE80211bga intl " IEEE80211bg intl IEEE80211a"8.9. while true ; do10.for CHAN in IEEE80211bg ; do11.echo "Switching to channel CHAN"12.iwconfig IFACE CHAN13.sleep 114.done15. donewww.syngress.com6:13
ethereal ch06.qxd6:1411/8/065:07 PMPage 14Chapter 6 Wireless Sniffing with WiresharkAfter saving the shell script, change the permissions on the file to make it anexecutable program:# chmod 755 chanhop.shChange the interface name ath0 on line 2 to reflect the name of your wirelessinterface. Also, change the channel designator IEEE802.11bg on line 10 to reflectthe channels that are supported by your wireless card.To start the channel-hoppingscript, run the shell script from the directory where it was created:# ./chanhop.shSwitching to channel 1Switching to channel 2When you want to stop the channel-hopping script, press Ctrl C.NOTEIf creating shell scripts for channel hopping isn’t appealing, you candownload a more sophisticated copy of this script from the Wiresharkweb site wiki at ng a Packet Capture - LinuxWhether you have specified a single channel for capturing wireless traffic or are currently channel hopping, the process for capturing wireless traffic on Linux remainsthe same. Start Wireshark by running the wireshark executable with no commandline arguments as the root user, and initiate a new packet capture by pressingCapture Options.This opens the “Wireshark Capture” options dialog box (seeFigure 6.1).Choose the wireless interface that has been placed in monitor mode by selectingthe drop-down box labeled “Interface:,” and then specify the desired capture options.Next, click Start to initiate the packet capture.At this point, you’ve configured your system to capture wireless traffic in monitor mode.The next step is to utilize the information contained in the packets youare capturing. Fortunately, Wireshark has sophisticated analysis mechanisms that canbe used for wireless traffic analysis. Let’s examine the steps for configuring monitormode support on Windows systems.www.syngress.com
ethereal ch06.qxd11/8/065:07 PMPage 15Wireless Sniffing with Wireshark Chapter 6Figure 6.1 Wireshark Capture Options Dialog Box - LinuxGetting Support for Monitor Mode WindowsUnfortunately, Windows drivers for wireless cards do not normally include supportfor monitor mode access, instead restricting users to operating the card in managedmode. Fortunately, through a combination of commercial and open-source software,we can overcome this limitation to use Windows hosts for wireless traffic analysiswith Wireshark.Introducing AirPcapIn order to overcome the limitations with most wireless drivers for Windows systems, the engineers at CACE Technologies have introduced a commercial productcalled AirPcap. A combination of a USB IEEE 802.11b/g adapter, supporting driversoftware, and a client configuration utility, AirPcap provides a simple mechanism tocapture wireless traffic in monitor mode on Windows workstations at a reasonablecost. AirPcap is available at www.cacetech.com.After obtaining the AirPcap CD and Universal Serial Bus (USB) wirelessadapter, follow the installation instructions detailed in the AirPcap User’s Guide.Ensure you have installed the appropriate version (WinPcap 4.0 beta 1) of WinPcapto support the AirPcap.www.syngress.com6:15
ethereal ch06.qxd6:1611/8/065:07 PMPage 16Chapter 6 Wireless Sniffing with WiresharkNOTEUnfortunately, at the time of this writing, there are no free softwaresolutions that allow Windows users to capture wireless traffic reliably,and without violating other software license restrictions. If you need toperform wireless traffic analysis with a Windows workstation, Wiresharkis an effective tool; however, you would have to purchase a driver andhardware combination that supports monitor mode.If you want to avoid any costs associated with drivers for monitormode packet capture, you are encouraged to use a Linux option thatbundles monitor mode support with
issues that require sophisticated troubleshooting and analysis mechanisms. Fortunately,Wireshark has sophisticated wireless protocol analysis support to help administrators troubleshoot wireless networks.With the appropriate driver sup-port,Wireshark can capt
