Use Wireshark to crawl 802.11 packets and filter analysis under Ubuntu

To use Wireshark to catch 802.11 of the package needs to be done under Linux.

To catch 802.11 of the package under Linux requires a wireless card driver installed under Linux.

So get these two things together before the formal crawl.

* No special instructions, use root privileges sudo su*

Install a wireless card driver

Wireless card: DWA-160 USB Wireless Card

NIC driver:http://alris1.dlinkddns.com/download/dlink/DWA-160/DWA-160_B2_DPO_RT5572_LinuxSTA_2.6.1.3_20121022.tar.bz2

DWA-160_B2_DPO_RT5572_LINUXSTA_2.6.1.3_20121022.TAR.BZ2 decompression =

dwa-160_b2_dpo_rt5572_linuxsta_2.6.1.3_20121022 folder

Installation steps:

Under the dwa-160_b2_dpo_rt5572_linuxsta_2.6.1.3_20121022 folder, execute the following command:

# make# make install# CP RT2870STA.dat  /etc/wireless/rt2870sta/rt2870sta.dat# CD./os/linux # Insmod Rt5572sta.ko

No accident, you can connect to WiFi here.

Two mounting Wireshark

The installation of Wireshark is very simple

# Apt-get Install Wireshark

You can do it.

Three use Wireshark catch 802.11 pack

• It is important to note that

Because of the work of the edge, you need to listen to the wireless network packet, especially the IEEE802.11 management control box (frame ... In fact, I prefer to be directly called a packet. Colleagues directly open the Wireshark but captured take the WiFi interface, but found a bunch of Ethernet message box and heard the WiFi message box. Why? To see what Wireshark's official network says: If You ' re trying to capture network traffic, that's not being sent to or from the machine running wire Shark or tshark, i.e. traffic between, or more other machines on an Ethernet segment, or is interested in 802.11 manag  Ement or control packets, or is interested in Radio-layer information on packets, you'll probably has to capture in "Monitor Mode". This is discussed below. Without any interaction, capturing on Wi-Fi ' s may capture only user data packets with "fake" Ethernet headers.  In this case, you won ' t see any 802.11 management or control packets at all, and the 802.11 packet headers is "translated"  By the network driver to "fake" Ethernet packet headers. The answer Hyo, this is because the WiFi driver will automatically turn wireless frame into a Ethernet frame and then give kernel, so kernel the protocol stack is better handled. The question is, if I want to hear the WiFi frame, how do I do it? The answer is simple, set the WiFi adapter Monitor mode. In WiFi adapter, there is usually a ssid/essid filter, so it is not useful to set the WiFi adapter to promiscuous mode, because it is still impossible to receive a frame that is not a part of its own SSID. What about monitor mode? We can look at the following sentence: In monitor mode the SSID filter mentioned above are disabled and all packets of all SSIDs ' s from the currently S Elected channel is captured. The last question is how to set the wireless network to monitor mode in Linux. The steps are as follows: 1.iw Dev Wlan0 interface add mon0 type Monitor2.ifconfig mon0 up then you can listen to the packet through Mon0 this virtual interface. The way to remove this interface is also very simple: 1.iw dev Mon0 interface del

So to finish the above setting and then open Wireshark

# Wireshark

Four open Wireshark exception resolution appears

The error is as follows: Directly running Wireshark will error: Lua:error during loading:[string "/usr/share/wireshark/init.lua"]:45:dofile has been Disabled solution: Modify Init.lua To modify it, the terminal runs sudo gedit/usr/share/wireshark/init.lua the penultimate line turns out to be: Dofile (Data_dir ... ") Console.lua ") instead:--dofile (data_dir. Console.lua ")

Five pairs of captured 802.11 packets are filtered

Under Expression field name is "802.11 mgt-ieee 802.11 wireless LAN management Frame" "802.11 radiotap-ieee 802.11 radiotap Cap Ture Header "" IEEE 802.11-ieee 802.11 Wireless LAN "" IEEE 802.11 Aggregate data-ieee 802.11 wireless LAN Aggregate frame "Wlancertextn-wlan Certificate extention" "Wi-Fi p2p-wifi peer-to-peer" "WiMAX (WMX)-WiMAX protocol" ... Below are some of the more common conditional expressions that are listed below Wlan.da-destination address (Destination Hardware address) Wlan.sa-source address (Source Har  Dware address) Wlan.addr-source or Destination address (Source or Destination Hardware address) Wlan.ra-recevier address (Receiving station Hardware address) Wlan.ta-transmitter address (transmitting Hardware address) WLAN.BSSID-BSS ID (Bas IC Service Set ID) Wlan_mgt.ssid-ssid (indicates the identity of an ESS or IBSS)

Six simple 802.11-pack analysis

So you can grab the bag.

Here are some simple analysis

802.11-frame capture and analysis

802.11 packet Capture analysis

As for the high-level analysis of the package, when I learned to come back and write

Use Wireshark to crawl 802.11 packets and filter analysis under Ubuntu