autistic Posted August 8, 2013 Share Posted August 8, 2013 I've come across an interesting security-through-obscurity feature in a wifi device from a well known hardware manufacturer. I've created a small application that demonstrates how the underlying data being transmitted can be recovered. I'm using tshark to capture the data I need and currently I'm capturing all wifi frames that I can see in my vicinity. But before I publish any details of the approach I'd like to narrow my tshark capture to filter out frames that can't possibly be relevant. Assume all wifi networks in the vicinity are protected with WPA2, WPA or WEP and that I do not have the necessary keys to decrypt any of the traffic (nor do I need or intend to try any key recovery for what I'm doing). OK - so given this I can only say so much about each frame. So can someone suggest a filter that will capture the minimum amount of frames while still retaining all frames that could potentially be the result of the transmission of non-empty UDP unicast packets. At the very least I can filter out wifi probes etc. but I'm sure it's possible to do way better. My current demonstration application works fine trawling through all frames but I'd like to make it faster by not capturing frames that can't possibly be relevant. If you're asking yourself how good this security-through-obscurity feature can be if it can be side stepped by someone who clearly doesn't know much about wireshark or the characteristics of wifi frames then you'd be right in thinking "not very good at all." Still the approach being taken by this manufacturer is interesting and I'd like to document it. Regards, /George Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted August 8, 2013 Share Posted August 8, 2013 This should get you close. In most cases RTP port numbers are dynamically assigned. You can use something like the following which limits the capture to UDP, even source and destination ports, a valid RTP version, and small packets. It will capture any non-RTP traffic that happens to match the filter (such as DNS) but it will capture all RTP packets in many environments. udp[1] & 1 != 1 && udp[3] & 1 != 1 && udp[8] & 0x80 == 0x80 && length < 250 Via: http://wiki.wireshark.org/CaptureFilters Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.