WiFi Analyzing/Sniffing
Hardware
this hard ware we recommend to be used for WiFi sniffing:
ext. WiFi via USB
- CSL USB 2.0 WLAN Adapter 300Mbit (2,4/5GHz)
- cost below 20USD/Euro
- optional you can use a AirPcap NX
- optional Octoscope Device
This HW based on a Chipsatz: Ralink RT5572 and is Dual Freq. 2.4 and 5 GHz as well as it has RP-SMA Antenna Connectors. The standard Linux Kernel Driver has built in and enabled Monitor Mode which is needed to fetch all WiFi Traffic. By use of another WiFi Stick/Module please need make sure you will have a Driver with enabled Monitor Mode available.
Laptop internal M.2 or mPCIe card
- please use a INTEL based card :
- like AC 9260 - for up to 802.11 ac
- like AX200 - for up to 802.11 ax
It seems this Modules are very good supported by the Linux Kernel drivers with activated Monitor Mode. May its a bit tricky to get the Antenna cable + R-SMA Connector out - but this is may the far better choice!
Software
- Linux OS - we recommend a Ubuntu 20.04 based Linux 64bit
- Wireshark 3.2.5 - you can test this
wireshark - v
- you can use other tools as well but make sure the tool can generate
*.pcapng
or*.pcap
logfiles so we can analyze them
To setup and configure the WiFi HW driver, Linux Network Subsystem as well as Wireshark with all needed parameter we provide here a Script to setup all automatic.
Test Setup
Please try to setup like shown below:
- setup AP's and DUT with WPA2-PSK CCMP/CCMP security with same key
- Both AP's were configured with 50ms beacon intervals
- Both AP's and the DUT are setup on same channel and same bandwidth (20MHz)
- Try to isolate as much as possible from other WiFi networks of RF noise - best by located all inside a isolation chamber
- Roaming settings were:
- Scan Interval: 8 seconds
- RSSI Delta (2.4 GHz): 9 dBm (may not applicable in this testing.)
- RSSI Delta (5 GHz): 8 dBm
- Roam Threshold (2.4 GHz): -50 dBm (may not applicable in this testing.)
- Roam Threshold (5 GHz): -50 dBm
- setup diagram
generate data traffic
to generate traffic and test the performance use below commands or adapt them according to you needs:
-
Setup Receive System (Linux PC/Laptop/Server)
-
setup with iperf command :
iperf -s -u -i1
-
example :
iperf -s -u -i1
-
Setup Sender System (Linux PC/Laptop/Server)
-
setup with iperf command :
iperf -c<IP of Receiver> -u -b<data rate in Mbit/s>M -i1 -t<how long in s>
-
example :
iperf -c192.168.1.2 -u -b1M -i1 -t900
Notes
- please use the WiFi interface of the HW you want to use
phy#*
- you can easy check this by type without new HW installed
iwconfig
- connect the new HW to your Computer and run
iwconfig
again - there will be a new device show up wl*
wlxdc4ef4086948 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off
wlp3s0 IEEE 802.11 ESSID:"FALINT"
Mode:Managed Frequency:2.422 GHz Access Point: 18:A6:F7:F4:D2:48
Bit Rate=300 Mb/s Tx-Power=22 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
- when start the Script choose the
phy#*
with the interface namewl*
phy#2
Interface wlxdc4ef4086948
ifindex 8
wdev 0x200000001
addr dc:4e:f4:08:69:48
type managed
txpower 20.00 dBm
phy#0
Interface wlp3s0
ifindex 3
addr 7c:5c:f8:e4:5d:e6
type P2P-device
txpower 0.00 dBm
- You need to have root access on you Linux system to be able to configure the Network Layer!
- After Wireshark start use the already marked interface - most probably it will be
mon0
by click on the blue left top shark Icon. - we recommend to activate the Wireless Toolbar as well go to Wireshark Menu Bar:
View -> Wireless Toolbar
click to activate - in the Wireless Toolbar
mon0
should be shown as Interace and the channel you want to analyze should be shown. - by use the drop down box you should be able to select the needed channel
- if you can NOT change the channel - you setup is not correct.
- now you should be able to see WiFi packages in the View like shown in this
- generate PSK from SSIS+passphrase converter
procedure of full valid analyze
- setup both AP on:
- same WiFi channel
- same bandwidth
- same mode (a/b/g/n)
- same SSID
- same WPA2-PSK
- setup the Client device:
- same WiFi channel (like both AP)
- same bandwidth (like both AP)
- same mode (a/b/g/n) (like both AP)
- same SSID (like both AP)
- same WPA2-PSK (like both AP)
- setup the Sniffer analyzer:
- same WiFi channel (like both AP)
- same bandwidth (like both AP)
- same mode (a/b/g/n) (like both AP) (if needed throttle mode down!)
- setup the PSK in the analyzer tool (see generate PSK above)
- if PSK ist NOT setup correctly you can NOT decode the WiFi packages and see underlay IP data stream
- setup both variable Attunator:
- 0.25 dB per step
- dwell time ~250ms
- one with start at 0 and end with 60dB
- 2nd with start at 60 and end with 0dB
- so setup with ~1dB per second and 60dB which will result in ~1 roam per minute
- dont start Attunator now - keep both at 0dB!
- start Sniffer / Analyzer now
- analyzer need to catch all 4 way attachment handshake from the Client to one AP
- start a iperf receive on a device in AP backend network (
iperf -s -u -i1
)
- start/restart Client now to attache one of the AP
- wait until you see any UDP/IP package like
8845 100.120437221 192.168.222.59 192.168.222.255 UDP 186 5448 → 1027 Len=92
- if you dont see this after 3-5min and your Client is conneted and can ping the dest. IP please reconnect client again
- it can be easy happen the sniffer/analyzer can NOT catch the PSK handling!
- create data traffic via the WiFi by start a iperf on a device connected to the client (
iperf -c192.168.1.2 -u -b1M -i1 -t900
) - setup the needed Speed you prefere
- start not both Attunator of sweeping
- log all traffic in a file
- let it run for about 10min - to be able to catch a min. of 10 roaming events
- to analyze the roaming time please find in the logfile:
- last UDP package to AP1 (via MAC address)
- first UDO package to the AP2 after the roam
- calculate the time different of both packages