Wireless Sniffer -Wireshark

This chapter introduces how to capture Wi-Fi traffic in Ubuntu 20.10.

Install Ubuntu

Download Ubuntu 20.10 from Ubuntu Website. Install to a USB dongle or a Disk.

Check the current Linux Kernel version. It's 5.8.x now.

$ uname -a
Linux ed-ThinkPad-X230 5.8.0-59-generic #66-Ubuntu SMP Thu Jun 17 00:46:01 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Install Wireshark and some applications

$ sudo rm -rf /bin/sh && sudo ln -s /bin/bash /bin/sh
$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get install -y openssh-server vim net-tools wireshark
$ sudo apt-get install -y build-essential libncurses-dev bison flex libssl-dev libelf-dev
$ sudo apt-get install -y git fakeroot ncurses-dev xz-utils bc libtool
$ sudo apt-get install -y software-properties-common rsync
$ sudo apt-get install -y libncurses5-dev gcc grub2 wget dwarves tree curl

Plug Wi-Fi dongle

Plug Wi-Fi dongle and confirm its interface name. The PID/VID is 0e8d:7612 for this MediaTek Wi-Fi dongle in this case.

$ lsusb
Bus 002 Device 003: ID 0e8d:7612 MediaTek Inc.

And the current interface name is wlx008e86000266 now.

$ sudo ifconfig
wlx008e86000266: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 1e:a4:80:77:09:f3  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Scan Wi-Fi Channel

Install aircrack-ng and run airodump-ng to check Wi-Fi channel. It's better to use aircrack-ng 1.6 which is able to support WPA3-SAE.

$ git clone https://github.com/aircrack-ng/aircrack-ng.git
$ cd aircrack-ng
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install
$ sudo ldconfig

Run airodump-ng. it seems SSID AP1 works on Channel 13.

$ sudo airodump-ng wlx008e86000266

 CH  8 ][ Elapsed: 12 s ][ 2021-07-05 19:24 ][ Are you sure you want to quit? Press Q again to quit.

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 C4:E9:0A:6F:A5:1A  -20       12        0    0  13  270   WPA2 CCMP   PSK  AP1

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes
 C4:E9:0A:2F:03:A2  40:31:3C:D1:BD:C9  -41    0 - 6      0        1

Enable Monitor Mode

Enable Monitor Mode, use below script (Download) to press

$ ./set_mon.sh ${INTERFACE_NAME} ${WIFI_CHANNEL}

$ set_mon.sh wlx008e86000266 13

#!/bin/sh
if [ $# -lt 2 ]; then
    echo "Usage: $0 [DEV_NAME] [CHANNEL]"
    exit 1
fi

dev=$1
ch=$2

sudo ifconfig ${dev} down
sudo iwconfig ${dev} mode monitor
sudo ifconfig ${dev} up
sudo iwconfig ${dev} channel ${ch}

Run Wireshark

Run Wireshark
Select Menu/View/Wireless Toolbar
Set Filter to display beacon Frame. there is a sample filter if you would like to capture.

Filter:

Consider to below case to capture below traffices.

MAC address: C4:E9:0A:6F:A5:1A
Association Req/Rep
Reassociation Req/Rep
Probe Req/Rep
Beacon ((wlan.fc.type_subtype <= 0x0008))
Four way handshark (wlan.fc.type == 0x0002)

User needs to put below combination to the Filter rule.

wlan.addr[4:2] == A5:1A and (wlan.fc.type_subtype < 0x0005 || wlan.fc.type == 0x0002)

User Case

Try to add new IE Element to Realtek Wi-Fi platform and confirm its beacon frame did include the new IE Element from Wireshark.

Vendor Specific IEEE 802.11 Information Element

Use below script to run ./set_ie.sh "000a00" "01234567" adding new MTK IE element to Realtek AP.

set_ie.sh

#!/bin/sh
if [ $# -lt 1 ]; then
    echo "Usage: $0 [OUI] [CONTENT]"
    exit 1
fi

oui=$1
content=$2

echo "set IE"
echo "  - OUI:      $oui"
echo "  - CONTENT:  $content"

iwpriv wlan1 setCIE ${oui},${content}

echo "Set WLAN IE done"

There is what we saw from Wireshark (Click Packet → Copy → All Visible Selected Tree Items)

Tag: Vendor Specific: Mediatek Corp.
    Tag Number: Vendor Specific (221)
    Tag length: 10
    OUI: 00:0a:00 (Mediatek Corp.)
    Vendor Specific OUI Type: 48
    Vendor Specific Data: 30313233343536

References

Wireshark & Ethereal Network Protocol Analyzer Toolkit/CH6-Wireless Sniffing with Wireshark
Network Analysis Using Wireshark Cookbook
802.11AX REMOTE PACKET CAPTURES USING THE JETSON NANO
最便宜的Wi-Fi 6封包嗅探器，Nvidia Jetson Nano 安裝Intel AX200

Appendix

Wireless Display Filter Reference

Wireshark Most Common 802.11 Filters v1.1

Frame Name	Field Name
Management frame	wlan.fc.type == 0
Control frame	wlan.fc.type == 1
Data frame	wlan.fc.type == 2
Association request	wlan.fc.type_subtype == 0x00
Association response	wlan.fc.type_subtype == 0x01
Reassociation request	wlan.fc.type_subtype == 0x02
Reassociation response	wlan.fc.type_subtype == 0x03
Probe request	wlan.fc.type_subtype == 0x04
Probe response	wlan.fc.type_subtype == 0x05
Beacon	wlan.fc.type_subtype == 0x08
Disassociate	wlan.fc.type_subtype == 0x0A
Authentication	wlan.fc.type_subtype == 0x0B
Deauthentication	wlan.fc.type_subtype == 0x0C
Action frame	wlan.fc.type_subtype == 0x0D
Block ACK requests	wlan.fc.type_subtype == 0x18
Block ACK	wlan.fc.type_subtype == 0x19
Power save poll	wlan.fc.type_subtype == 0x1A
Request to send	wlan.fc.type_subtype == 0x1B
Clear to send	wlan.fc.type_subtype == 0x1C
ACK	wlan.fc.type_subtype == 0x1D
Contention free period end	wlan.fc.type_subtype == 0x1E
NULL data	wlan.fc.type_subtype == 0x24
QoS data	wlan.fc.type_subtype == 0x28
Null QoS data	wlan.fc.type_subtype == 0x2C

MCS Table (HT/VHT/HE)

~~ TBD ~~