Jump to content

WireShark and monitor mode


phixxer

Recommended Posts

I'm just getting started in the packet capture phase and after getting the ALFA USB WiFi AWUS036NEH and successfully putting it into monitor mode I see it is set to channel 1. With this setting I only see beacons from waps, not traffic from the target channel 6 for one. I have done the usual searching the web and the only mention of channel setting I have seen is within Wireshark itself. Being on version 2.0.2 and on Linux I don't see the options they reference under "capture/options/wireless", doesn't exist. And in my mind I would think that the channel is set on the interface, not the software, I may be wrong, call me noob. Any help is appreciated.

Link to comment
Share on other sites

If you start the card into monitor mode, by default should see all channels. If you start airodump-ng for example, it will scan on all channels unless you specify a specific channel. I would recommend though, picking a single channel you want to work within though, ie: if your router you want to test is on channel 6, set it to channel 6 in airodump-ng(which might also make it only see channel 6 in wireshark). In wireshark, it sees everything as far as I know unless you specify a specific capture filter for the mac address of the device you want to filter out/capture only, or change the nic's wireless channel specifically from the command line when you put it into monitor mode.

example:

ifconfig wlan0mon mode monitor channel 6

 

I don't know of a setting in wireshark to work by channel, but maybe there is a capture filter specifically for the wifi channel settings.

Edited by digip
Link to comment
Share on other sites

23 hours ago, phixxer said:

Thank you for your reply. I will use your advice when revisiting the attempt.

This seems to be the most authoritative answer:  

wlan host 08:00:08:15:ca:fe

While not exactly the channel you can narrow it down to the channel you want by selecting the APs in that band I suppose?
Link to comment
Share on other sites

You can use both iwconfig and iw to set the interface channel.

Examples:

iwconfig wlan0 channel 11
iw dev wlan0 set channel 11

Your interface can only be in 'one channel at a time'.
When attacking/listening for a specific AP that you know the channel of, it would we wisest to set your interface to the same channel, to not miss out any packets.

When airodump-ng is using "all channels" it is automatically hopping through all the channels. (Staying on one channel for a few milliseconds, before jumping to the next)
So for that "brief period of time" that you are not on the same channel as your target, you will miss out on any packets transmitted at that time.

Edited by Zylla
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...