HammerHead_0718 Posted March 10, 2016 Share Posted March 10, 2016 I'm getting more and more familiar with airodump-ng but noticed there is also TCPDump. I have a few questions. Am I correct to assume that airodump-ng is solely for wireless sniffing while tcpdump is any interface including wired connections? if that is so... will running tcpdump on my wireless interface card while it's in monitor mode, shouldn't it pick up 4 way handshakes (WPA2)? Thanks. Quote Link to comment Share on other sites More sharing options...
cooper Posted March 11, 2016 Share Posted March 11, 2016 TCPDump dumps, you've guessed it, TCP. When the 4-way handshake is performed, you don't yet have a network connection. There's no IP assigned to you or anything. So airodump-ng dumps more than TCPDump, and what it dumps more is specific to wireless networks. TCPDump works on the network once the connection to the network has been established, and doesn't care if that network is wireless, wired or anything else. Quote Link to comment Share on other sites More sharing options...
fugu Posted March 11, 2016 Share Posted March 11, 2016 (edited) In the past I've used tcpdump to capture wireless packets, but you have to manually put the card in monitor mode. wlan[0x00] == 0x80 is a Beacon Frame wlan[0x00] == 0x08 is a Data Frame wlan[0x1e:2] == 0x888e is 802.1X Authentication wlan[0x24] == 0x02 is EAPOL sudo tcpdump -i wlan0 -w dumpfile.pcap -s 0 -n \( wlan[0x00] == 0x80 \) or \( wlan[0x00] == 0x08 and wlan[0x1e:2] == 0x888e and wlan[0x24] == 0x02 \) I haven't thoroughly tested the above command for capping the EAPOL part, but I do get a ton of beacon frames. It probably needs a bit of tweaking to get it to cap correctly. (Edit: fixed a typo) Edited March 11, 2016 by fugu Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.