Wednesday, February 18, 2009

Mac OSX: Capturing 802.11 WLAN Traffic

This is trick for Mac OSX users, if you want to capture 802.11 WLAN packets, you can't do that with normal capturing argument using tcpdump. Normally en1 is the wireless network interface for Apple Macbook.

shell>sudo tcpdump -s 0 -nni en1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes

If you look at the link-type, it is EN10MB so 802.11 Radio information header is not going to be captured, however we can define the link type with tcpdump, we can list the supported link type for the interface first -

shell>sudo tcpdump -nni en1 -L
Data link types (use option -y to set):
IEEE802_11_RADIO_AVS (802.11 plus AVS radio information header) (not supported)
IEEE802_11 (802.11)
IEEE802_11_RADIO (802.11 plus BSD radio information header)
EN10MB (Ethernet)

Specify link type with -y option -

shell>sudo tcpdump -y 'IEEE802_11_RADIO' -ttttnni en1
tcpdump: data link type IEEE802_11_RADIO
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type IEEE802_11_RADIO (802.11 plus BSD radio information header), capture size 96 bytes
2009-02-18 00:55:13.948664 3466317997us tsft 1.0 Mb/s 2462 MHz (0x0080) -44dB signal 0dB noise antenna 0 Beacon (SSID) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY
2009-02-18 00:55:14.051029 3466420387us tsft 1.0 Mb/s 2462 MHz (0x0080) -44dB signal 0dB noise antenna 0 Beacon (SSID) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY

If you want to analyze 802.11 traffic, you can definitely play around with this. Of course if you want to put your Macbook into RFMON mode, the best tool around is Kismac.

Enjoy (;])

2 comments:

james said...

Hi Lee,
We like your sharing & comment on IT Security topic. How can we reach you better to seek for your security advise ?

rgrds
James
jamesdp21@gmail.com

Anonymous said...
This comment has been removed by a blog administrator.