The last subject to be covered in this chapter is that of UNIX sniffers. This section will provide a useful tutorial on the most common uses related to wireless scanning. For detailed documentation, you will have to refer to the tools' man pages. The two sniffers covered here are the venerable tcpdump and Wireshark. tcpdump is the Swiss army knife of UNIX sniffers.
tcpdump supports a large number of features and a powerful filtering language. If you want to use tcpdump to sniff packets with odd sequence numbers, you can. While we won't be using it for anything so esoteric, it's good to know the power is there if you need it.
Wireshark (previously known as Ethereal) is a great protocol decoder with a graphical interface. Though Wireshark can gather packets off the network in real-time, it is normally used to display packets that have already been saved to disk.
The best way to get familiar with the workings of a protocol is to look at a capture of it in action. To that end, let's assume you are interested in looking at a pcap file your scanner produced while running. You can either decode it with tcpdump to get a quick view of what's going on, or you can load it into Wireshark. To view it with tcpdump, just use the -r (read file) flag. In the following listing, I am instructing tcpdump to read in the packets saved by a previous Kismet run and piping the output to less so I can read it before it scrolls off the screen:
[johnycsh@phoenix:~/Dumps]$ tcpdump -r ./Kismet-Apr-21-2006-9.dump | less 18:56:13.386643 Clear-To-Send RA:00:0f:b5:5d:92:6e 18:56:13.390308 CF-End RA:Broadcast 18:56:13.397012 Clear-To-Send RA:00:0f:b5:5d:92:6e 18:56:13.569095 Data IV: 9b Pad 0 KeyID 0
This is good for a quick glance and small files, but as you can imagine, staring at the lines of text as they scroll by can be tiring. Thankfully, you can load the same file into Wireshark/Ethereal and get a much more intuitive view of what's going on. The following command executes Ethereal and instructs it to load the same file you looked at with tcpdump in the previous example:
[johnycsh@phoenix:~/Dumps]$ ethereal ./Kismet-Apr-21-2006-9.dump
Ethereal will pop up at this point, and you can examine the details of your packets at every protocol level. Figure 5-13 shows a sample Wireshark/Ethereal display.
Sometimes you don't want to start up your scanner just to capture packets. For example, let's say you want to only capture packets on channel 3 using your Atheros card. First, you would need to get your card into monitor mode and ensure it's on the correct channel:
[root@phoenix:/home/johnycsh/Dumps]$ ifconfig ath0 up [root@phoenix:/home/johnycsh/Dumps]$ iwconfig ath0 channel 3 [root@phoenix:/home/johnycsh/Dumps]$ iwconfig ath0 mode monitor
Next, you will want to start capturing packets. You can do this either using tcpdump or through Wireshark's GUI. To use Wireshark, go to Capture | Interfaces and click Prepare next to your wireless card. Configure whatever settings you would like (I prefer to hide the Capture Info dialog) and click Start. If you would rather avoid all that clicking, you can just use tcpdump to capture the packets and Wireshark to view the file with the following command:
[root@phoenix:/home/johnycsh/Dumps]$ tcpdump -i ath0 -s 0 -w packets.pcap
This command instructs tcpdump to save every byte of every packet (-s 0) and write the results to packets.pcap. Just press CTRL-C when you're done, and then load it into Wireshark.
One of the most useful features in Wireshark is the ability to color packets based on rules. With the right set of coloring rules, you can pick out the interesting packets at a glance. For example, you can color deauthentication or disassociation packets red, set probe requests to bright green, and data to light blue. Immediately, you can see who is getting kicked off the network, who is looking for networks to join, and who is talking.
Wireshark does not come with a very good set of 802.11 rules by default. Creating your own can be a very educational experience. The following dialog shows an example of a rule that will color deauthentication packets.
The easiest way to figure out what numbers to use for the type and subtype is to look at individual packets inside Wireshark and use them as a template, or to read the 802.11 standard available for free from the IEEE. The 802.11 standard is available at http://www.standards.ieee.org/getieee802/802.11.html.