wiki_wifi_sniffing

WiFi Analyzing/Sniffing

Hardware

this hard ware we recommend to be used for WiFi sniffing:

ext. WiFi via USB

CSL USB 2.0 WLAN Adapter 300Mbit (2,4/5GHz)
cost below 20USD/Euro
optional you can use a AirPcap NX
optional Octoscope Device

This HW based on a Chipsatz: Ralink RT5572 and is Dual Freq. 2.4 and 5 GHz as well as it has RP-SMA Antenna Connectors. The standard Linux Kernel Driver has built in and enabled Monitor Mode which is needed to fetch all WiFi Traffic. By use of another WiFi Stick/Module please need make sure you will have a Driver with enabled Monitor Mode available.

Laptop internal M.2 or mPCIe card

please use a INTEL based card :
- like AC 9260 - for up to 802.11 ac
- like AX200 - for up to 802.11 ax

It seems this Modules are very good supported by the Linux Kernel drivers with activated Monitor Mode. May its a bit tricky to get the Antenna cable + R-SMA Connector out - but this is may the far better choice!

Software

Linux OS - we recommend a Ubuntu 20.04 based Linux 64bit
Wireshark 3.2.5 - you can test this wireshark - v
you can use other tools as well but make sure the tool can generate *.pcapng or *.pcap logfiles so we can analyze them

To setup and configure the WiFi HW driver, Linux Network Subsystem as well as Wireshark with all needed parameter we provide here a Script to setup all automatic.

Test Setup

Please try to setup like shown below:

setup AP's and DUT with WPA2-PSK CCMP/CCMP security with same key
Both AP's were configured with 50ms beacon intervals
Both AP's and the DUT are setup on same channel and same bandwidth (20MHz)
Try to isolate as much as possible from other WiFi networks of RF noise - best by located all inside a isolation chamber
Roaming settings were:
Scan Interval: 8 seconds
RSSI Delta (2.4 GHz): 9 dBm (may not applicable in this testing.)
RSSI Delta (5 GHz): 8 dBm
Roam Threshold (2.4 GHz): -50 dBm (may not applicable in this testing.)
Roam Threshold (5 GHz): -50 dBm
setup diagram

generate data traffic

to generate traffic and test the performance use below commands or adapt them according to you needs:

Setup Receive System (Linux PC/Laptop/Server)
setup with iperf command : iperf -s -u -i1
example : iperf -s -u -i1
Setup Sender System (Linux PC/Laptop/Server)
setup with iperf command : iperf -c<IP of Receiver> -u -b<data rate in Mbit/s>M -i1 -t<how long in s>
example : iperf -c192.168.1.2 -u -b1M -i1 -t900

Notes

please use the WiFi interface of the HW you want to use phy#*
you can easy check this by type without new HW installed iwconfig
connect the new HW to your Computer and run iwconfig again - there will be a new device show up wl*

wlxdc4ef4086948  IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off
          
wlp3s0    IEEE 802.11  ESSID:"FALINT"  
          Mode:Managed  Frequency:2.422 GHz  Access Point: 18:A6:F7:F4:D2:48   
          Bit Rate=300 Mb/s   Tx-Power=22 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

when start the Script choose the phy#* with the interface name wl*

phy#2
	Interface wlxdc4ef4086948
		ifindex 8
		wdev 0x200000001
		addr dc:4e:f4:08:69:48
		type managed
		txpower 20.00 dBm
phy#0
	Interface wlp3s0
		ifindex 3
		addr 7c:5c:f8:e4:5d:e6
		type P2P-device
		txpower 0.00 dBm

You need to have root access on you Linux system to be able to configure the Network Layer!
After Wireshark start use the already marked interface - most probably it will be mon0 by click on the blue left top shark Icon.
we recommend to activate the Wireless Toolbar as well go to Wireshark Menu Bar: View -> Wireless Toolbarclick to activate
in the Wireless Toolbar mon0 should be shown as Interace and the channel you want to analyze should be shown.
by use the drop down box you should be able to select the needed channel
if you can NOT change the channel - you setup is not correct.
now you should be able to see WiFi packages in the View like shown in this
generate PSK from SSIS+passphrase converter

procedure of full valid analyze

setup both AP on:

same WiFi channel
same bandwidth
same mode (a/b/g/n)
same SSID
same WPA2-PSK

setup the Client device:

same WiFi channel (like both AP)
same bandwidth (like both AP)
same mode (a/b/g/n) (like both AP)
same SSID (like both AP)
same WPA2-PSK (like both AP)

setup the Sniffer analyzer:

same WiFi channel (like both AP)
same bandwidth (like both AP)
same mode (a/b/g/n) (like both AP) (if needed throttle mode down!)
setup the PSK in the analyzer tool (see generate PSK above)
if PSK ist NOT setup correctly you can NOT decode the WiFi packages and see underlay IP data stream

setup both variable Attunator:

0.25 dB per step
dwell time ~250ms
one with start at 0 and end with 60dB
2nd with start at 60 and end with 0dB
so setup with ~1dB per second and 60dB which will result in ~1 roam per minute
dont start Attunator now - keep both at 0dB!

start Sniffer / Analyzer now
analyzer need to catch all 4 way attachment handshake from the Client to one AP
start a iperf receive on a device in AP backend network (iperf -s -u -i1)

start/restart Client now to attache one of the AP
wait until you see any UDP/IP package like

8845	100.120437221	192.168.222.59	192.168.222.255	UDP	186	5448 → 1027 Len=92

if you dont see this after 3-5min and your Client is conneted and can ping the dest. IP please reconnect client again
it can be easy happen the sniffer/analyzer can NOT catch the PSK handling!

create data traffic via the WiFi by start a iperf on a device connected to the client (iperf -c192.168.1.2 -u -b1M -i1 -t900)
setup the needed Speed you prefere

start not both Attunator of sweeping
log all traffic in a file
let it run for about 10min - to be able to catch a min. of 10 roaming events

to analyze the roaming time please find in the logfile:
- last UDP package to AP1 (via MAC address)
- first UDO package to the AP2 after the roam
- calculate the time different of both packages