Jump to content

Want To View Only Probe Requests Need Help.


Vodmya

Recommended Posts

Might be an easy question but I'll ask anyway. Does anyone know of a way of using an app like airodump to display only probe requests of unassociated clients? airodump-ng -a mon0 doesn't seem to do a heck of alot. I'm not looking for a filter rule for wireshark. What I am attempting to do is run a utility that will monitor the air and display only probe requests with their bssid and previously connected AP essid's. (i.e only the lower half of airodump-ng) No malicious intent just curious about what is happening around me in real time with a nice simple gui. (I get a kick out of some of the AP's essid's, esp those who use apple products. Even after a master reset prev connected machines are still displayed with a 'ginormous' listing.

Link to comment
Share on other sites

The only option I can think of at the moment, is by placing your wireless adapter in monitor mode and then with Wireshark capturing the traffic around you. That should definitely get what you want. However if there is an utility that can do what you are asking, then I really would like to hear about it.

Link to comment
Share on other sites

I know you said you didn't want to use wireshark filters, but maybe the command line version of it, tshark, or even tcpdump, can be piped to ngrep for probes only. ngrep might do the trick by itself, but I've never used it before.

Link to comment
Share on other sites

Wireshark is definitely an option but I'm really looking for something quick and dirty without diving into the individual packets. My googling fingers are tired. I believe I'm looking for an app or script that hasn't been written yet. A temp solution would be to set the wireless card to another country (i.e BO) and place it on an "ill-advisable" channel depending on where you live and in theory there would be minor overlapping/no traffic and all of the output would be mostly unassociated probe requests. It would be a nifty tool to have running to be able to see whose wifi enabled mobile devices give them away before entering your vicinity.

Safer/legal alternative: airodump-ng -c 1 --encrypt=OPN mon0 (unless you live in stupidville)

Edited by Vodmya
Link to comment
Share on other sites

Wireshark is definitely an option but I'm really looking for something quick and dirty without diving into the individual packets. My googling fingers are tired. I believe I'm looking for an app or script that hasn't been written yet. A temp solution would be to set the wireless card to another country (i.e BO) and place it on an "ill-advisable" channel depending on where you live and in theory there would be minor overlapping/no traffic and all of the output would be mostly unassociated probe requests. It would be a nifty tool to have running to be able to see whose wifi enabled mobile devices give them away before entering your vicinity.

Safer/legal alternative: airodump-ng -c 1 --encrypt=OPN mon0 (unless you live in stupidville)

If you capture on only a specific channel, vs channel hopping, you will only see probes on that specific channel and ones close to it, IE: channel 1, would pick up channel 2 and 3 sometimes.

Look into how ngrep works though. Like I said, I haven't used it, but its meant for grepping network trafic vs files on the local system the way normal grep does. Your best bet though, is to save to a pcap and analyze later, although you should be able to pipe it data and then maybe pipe that output to screen or a log file while echoing finds back to screen at the same time.

http://link.brightcove.com/services/player/bcpid710694489001?bclid=708670032001&bctid=710381954001

Edited by digip
Link to comment
Share on other sites

Tks for the tip on ngrep (haven't used it either). Be interesting to see if the specific data could be filtered and piped and then viewed in real time. My next question would be about the unassociated probe requests. Even though I've set my card to ch1 (1-3 overlaps)(my exercises have resulted in "Joe Average" broadcasting on ch 6 or 11 mostly). As well as having an encryption filter to open auth (lowest amount of broadcasters) to cut down on the viewable output using strictly airodump-ng would be: Are the unassociated clients searching on set channels or are they searching on all the bands looking for wifi and prev associated APs? If they are not band specific I should still be viewing the same amount of traffic the same as if I was channel hopping?

Link to comment
Share on other sites

Just found my answer. Running 2 monitor modes at the same time. One set to channel 1 and the other to channel 11. Output is the same for unassociated clients. Just found a script that looks promising

as well.

https://github.com/xme/hoover

Big thanks to this forum and the Hak5 show for all your advice it is appreciated!

Edited by Vodmya
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...