Wireshark 101: Wireless Sniffing

Shannon demos a wireless network packet header in Wireshark and explains the 6 modes of wireless in this week's episode of HakTip.

Wireless works a bit differently than wired networks. The physical layer of a wireless spectrum has 11 channels in the US. Your network data and traffic will show up on one of those channels. Therefore, you have to configure your computer to know which channel to capture traffic on. You may run into wireless interference, giving you false packet loss data, and you might end up with capturing data from an overlapping channel. You should also know about Wireless card modes. There are six main modes: managed, ad hoc, master, mesh, repeater and monitor.

Master Mode is often referred to as an Access Point or Base Station. Interfaces in Managed Mode, aka Infrastructure Mode, are considered clients or stations and are the devices connected to an access point, like your laptop. Ad-hoc, aka Peer-to-Peer, is a mode where wireless devices can communicate with each other without the need for a centralized base-station or access point. A wireless interface in repeater mode can be configured to connect to a wireless network, and repeat the signal. You can think of a mesh as a sort of planned ad-hoc network. Mesh networks, or mesh clouds, are comprised of radios acting as routers, gateways and clients. Lastly is an important one. Monitor mode lets your wireless device listen to the packets flying through the airwaves, no transmitting or receiving. More details on all of these can be found in HakTip ep. 9 - The 6 Modes of Wireless.

To capture traffic in monitor mode on a Windows machine, you'll most likely need to use hardware such as AirPcap, which uses the WinPcap drivers but adds monitor to your computer.

For a Linux machine, you can probably just change the NIC internally. This varies depending on your own wireless hardware, so do a quick search on google for your specific device.

In Wireshark, the packet header has a new section for 802.11. A management frame like this one establishes connectivity, a control packet would allow the management and data packets to be delivered, and a data packet contains the actual data. The management packet has a beacon frame, which broadcasts from a WAP (wireless access point) out to anyone listening. You'll find the type/ subtype in the header, as well as a timestamp, beacon interval (retransmission of beacon), capability information (info about the hardware capabilities), the SSID, the supported rates (specifically the data transfer rates), and the DS parameter (the channel of the WAP).

