Notice

Sunday, September 8, 2013

Sniff Public Traffic with Wireshark Monitor Mode and BroadCom Wireless card

In this post I'll show you how to sniff packets with Wireshark Monitor mode in Ubuntu. First of all you need to check what wireless driver you have installed in your computer. In my case in ubuntu 13.04, you can check your driver installation at Additional Drivers.

Click on the Ubuntu logo of the upper left corner, and search for Software and Updates and click on it.

In the Software and Updates dialog box, click on Additional Drivers Tab and check whether what driver you have installed for wireless device. In my case it was like;


The problem is, you cannot sniff public traffic with monitor mode using the above Broadcom STA driver. So click on Do not user the device and save it and restart your computer. This option does not mean anything that it's name really implies. In only does stop using the above mentioned driver and users default open source driver.

One additional thing, it you type sudo iwconfig in the terminal and run, you can view all wireless interfaces in your computer. Check whether your real wireless interface has been listed there as a wireless interface (such as wlan0). If it is listed as an ethernet interface (such as eth1), the problem is you are still using the BroadCom STA driver. Make sure it is listed as a wireless interface before you go into following steps.

Wireless Monitor Mode

      If you have used wireshark previously, you may have sniffed packets coming to one of your interfaces. For that you need to connect to the access point/ad-hoc network that you need to sniff packets. In Wireless Monitor mode, you don't need to connect to any network, you can freely sniff packets through Wireshark. This can be done only with Wireless Devices since you cannot receive other's packets with wired connected switches.

Promiscuous Mode
     
      Promiscuous mode is a special mode for hubs (not switches) in which you can capture all packets travel through the hub. For this case, you need to connect to the network that you need to sniff. This mode is not enables by default in switches since it fowards packets to the port which the intended receiver has connected to. It does not simple flood packets to all ports in the switch. For this, a switch has a memory associated with it which can map ports to receiver's MAC addresses

Enable Monitor Mode in BroadCom wireless card

               You can use a bash script in ubuntu called airmon-ng to put your wireless card in monitor mode. Just run following command.

sudo airmon-ng start wlan0

You can see following output.


In the output you can see, monitor mode enables on mon0.

This mon0 is an interface created by airmon-ng, in which monitor mode has been enabled. You can use this interface in wireshark to sniff all public packets.

Open wireshark, in the home screen double click on the mon0 interface, listed in interfaces list.

Note:
     If you cannot see any interface in the interfaces list, it means that you don't have enough previleges. You need to add your username into wireshark user group as follows (You can start wireshark as root and see all interfaces but wireshark discourages running it with sudo)
$ sudo dpkg-reconfigure wireshark-common
$ sudo usermod -a -G wireshark <username>

and restart your machine to take effect


When you double click on mon0, you can see following options.


Check the checkbox Capture Packets in monitor mode. Then click OK.

Then go to Capture --> Interfaces.

Uncheck all interfaces except mon0 (If there's high wireless traffic around you, you'll see hundred thousands of packets go through that interface).

Then start the capture. Done ! You'll see wireshark captures all wireless traffic.

Note:
Starting monitor  mode with airmon-ng is essential. Without using it, you'll be able to start a sniff in monitor mode with wlan0 interface if you have connected to a network, but withing 10 seconds of the capture, you'll be disconnected from your wireless network.


No comments:

Post a Comment