Jump to content

Airodump-ng: What Exactly Are Data Packets?


blackriver
 Share

Recommended Posts

I was trying to explain the workings of Airodump-ng to someone when it occurred to me I don't fully understand what the "#Data"-column is trying to show. I always assumed these were "interesting" packets, i.e. packets generated by an actual user instead of say beacons (although the manual says it's the "number of captured data packets, including data broadcast packets"). I was wondering if anyone knew how Airodump-ng determines if it sees a data packet.

I tried to google but couldn't find an answer. So is it perhaps one of these?

All packets minus beacons?

Only TCP (and maybe UDP) packets?

All packets that have a source and destination?

Link to comment
Share on other sites

It is referring to layer 2 data frames that it has captured. These don't include beacon frame but do include broadcast frames, they are different.

The easiest way to think of it is that they are the actual frames from each computer that will reach other computers on the network. Frames like Beacon, Authentication, Deauthentication, etc. are only passed between the computer and the access point, and so aren't included as a data frame.

Link to comment
Share on other sites

It is referring to layer 2 data frames that it has captured. These don't include beacon frame but do include broadcast frames, they are different.

The easiest way to think of it is that they are the actual frames from each computer that will reach other computers on the network. Frames like Beacon, Authentication, Deauthentication, etc. are only passed between the computer and the access point, and so aren't included as a data frame.

Thanks for the reply, Jason. I'm trying to understand how I could do the same with a different tool, say tcpdump. As far as I understand, tcpdump will also capture the beacons when put in monitor mode with -I. Is there a way to basically count the "data packets" in monitor mode just like airodump-ng does?

Link to comment
Share on other sites

I have never tried using tcpdump with are wirless interface in monitor mode, I suspect that you will have to do a bit of coding to get the results that you want or grab everything with tcpdump and then run the capture through wireshark.

If you do start to investigate coding your own tool then the 802.11 standards could be useful reading.

Link to comment
Share on other sites

I'm not sure if I'm up to coding my own tool yet, but thanks for the reading material. I wonder if this would be a good exercise in Python or Ruby: calling tcpdump and tshark, processing their output, and restart. Sounds like a weekend project!

If you are going to have a go with it look at using the pcap libraries as they will make you life easier when dealing with sniffing/captured packets.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...