Wireshark --- Promiscuous Mode --- WPA
I'm currently working on the development of an embedded systems device that communicates with the LAN over wifi (it has a simple wifi module on the board that can connect to a WEP or WPA network).
I've been using Wireshark on my workstation PC to monitor the traffic going back and forth between hosts on the LAN (in promiscuous mode of course) so I can see all Ethernet frames.
Now I've reached a development stage of moving on to testing on a WPA network. I've opened up Wireshark and set it to promiscuous mode... but I can't see other people's frames! I can only see broadcast frames and unicast frames directed to my own MAC address, that's all.
I've been searching the internet on how to get Wireshark to sniff WPA traffic in promiscuous mode, and I even went into Preference->IEEE 802.11 and entered my SSID and WPA key, but still nothing.
I've tried changing the access point's encryption from WPA2-PSK to WPA1 with TKIP but still nothing, I can't see other people's frames.
Does anyone know a solution to this? If I need to pay money for a product then I will. I'd prefer a piece of software rather than hardware, but if I need hardware to do it then that's OK. I'd prefer if I could still use Wireshark instead of having to use another program.
Anyone?
Re: Wireshark --- Promiscuous Mode --- WPA
Even if what I'm trying to achieve isn't possible, could someone please let me know?
Re: Wireshark --- Promiscuous Mode --- WPA
Re: Wireshark --- Promiscuous Mode --- WPA
Really.... ? Anyone..... ?
Re: Wireshark --- Promiscuous Mode --- WPA
I found this and it may be help to you
"In addition, if your network has any form of encryption (WEP, WPA/WPA2), while the adapter might be able to, in promiscuous mode, *capture* all traffic on your local network, it probably won't be able to *decrypt* it (that being the whole point of encrypting wireless traffic), and might well just drop those packets on the floor for that reason.
"
it seems maybe because its ebcrypted and cannot be decrypted, then it may be getting dropped. I am not 100% sure but i wanted to try lend a hand because it does not look like anyone else is.
You may be able to understand it better if you read the source, website source:- http://www.wireshark.org/lists/wires.../msg00023.html
Airodump -> Airdecap -> Virtual Network Interface -> Wireshark
I can't for the life of me get Wireshark to sniff in promiscuous mode on a WPA network (even after going into preferences and inputting my WPA passphrase), but I've found a slight work-around.
1) I run airodump-ng on the wireless interface and get it to output to a file
2) I take the output of airodump-ng and supply it as input to airdecap-ng (along with the SSID and passphrase)
3) I open up Wireshark and open the static file produced by airdecap-ng
When I do this, I can indeed see all frames on the WPA wifi network. Only problem is that it's not realtime, I'm looking at an old capture.
Has anyone been working on a way to get this working in realtime so that frames show up right away in Wireshark?
Seems to me that if I was to go about writing a program to do it, here's what I'd do:
1) Create some sort of virtual network interface
2) Take the output of airodump-ng and pipe it into airdecap-ng
3) Take the output of airdecap-ng and flush it out the virtual network interface I've already created
4) Open up Wireshark and listen on the virtual network interface
Such a program would definitely be possible to put together. Has anyone been working on it? ......or should I get coding on it myself? The source code of aircrack-ng and airdecap-ng is available to me so I'd only have to do some tweaking to pipe the output of one into the other, and then write some code to create a virtual network interface and flush the output out through it.
Any commments?
Re: Airodump -> Airdecap -> Virtual Network Interface -> Wireshark
Actually there's no need to create any sort of virtual interface, I'll just output the frames on the "lo" loopback interface.
Right I'm gonna download the source code for airdecap-ng and alter it to read from standard input, then I'm gonna pipe the output from airodump-ng into my altered airdecap-ng, and then I'll add code to airdecap-ng that makes it send frames out on "lo" instead of writing to a file. Then just open Wireshark and listen on "lo".
I'll let you know how I get on.... this might not take me long at all... maybe just a few hours because I already have my Dynamo code for sending out raw Ethernet frames.
Re: Airodump -> Airdecap -> Virtual Network Interface -> Wireshark
Okey dokey, I've successfully altered the Airdecap code to make it spit frames out on the "lo" interface instead of writing them to a file, and so they're coming up in Wireshark when I listen on "lo". So that's the bulk of the work done.
Now I just need to combine the code for Airodump with the code for Airdecap into one executable file so that frames are processed on-the-fly without being written to disk -- they'll just be spat out on the "lo" interface. I'll probably have that code finished tomorrow.
I'm surprised I have to go to this extent..... I mean I thought Wireshark had a facility for sniffing WPA traffic? I can't get that facility to work.
Re: Wireshark --- Promiscuous Mode --- WPA
sounds like your putting in alot of effot here, i carnt wait to see the finished product
Re: Wireshark --- Promiscuous Mode --- WPA
Quote:
Originally Posted by
deviney
sounds like your putting in alot of effot here, i carnt wait to see the finished product
You'd be surpried Deviney, it's not that much work at all altering these programs. I opened up the source code file for Airdecap and I just did a search for "fwrite" because I knew that's the C function that would be used to write to the output file. I replaced all calls to "fwrite" with calls to "SendRawEtherFrame" (which is a function in a raw socket networking library that I wrote about 5 years ago for a program called "Internet Prober" which later developed into a program called "Dynamo"). So then to check if it worked, I opened up Wireshark and listened on interface "lo", and lo and behold I could see the decrypted frames.
Next I'm gonna open the source code file for Airodump, and I'll do a "find and replace" on "fwrite"; I'll then replace these calls to "fwrite" with direct calls to the algorithm in the Airdecap code that processes encrypted frames, and from there the decrypted frames will be spat out on "lo" so that you can pick them up in Wireshark in realtime.
Then I'll just compile Airodump and Airdecap together into one executable, and probably run it as follows:
WpaSnifferHelper --channel 4 --bssid 00:01:02:03:04:05 --essid MyAP --key MyPassword wlan0
so then you just open Wireshark and listen on "lo" and probably put in a filter such as "!(ip) or !(ip.addr == 127.0.0.1)" to get rid of the other crap that goes on that interface.
It's 9:33am here in Ireland but I'm gonna go back asleep for a few hours, but I'll have this done by today, I already know exactly what needs to be done. It's less than 3 hours of coding definitely.
