Skip to content

GitLab

Last edited by Guido Voigt
Page history
This is an old version of this page. You can view the most recent version or browse the history.

wiki_wifi_sniffing

WiFi Analyzing/Sniffing

Hardware

this hard ware we recommend to be used for WiFi sniffing:

This HW based on a Chipsatz: Ralink RT5572 and is Dual Freq. 2.4 and 5 GHz as well as it has RP-SMA Antenna Connectors. The standard Linux Kernel Driver has built in and enabled Monitor Mode which is needed to fetch all WiFi Traffic. By use of another WiFi Stick/Module please need make sure you will have a Driver with enabled Monitor Mode available.

Software

  • Linux OS - we recommend a Ubuntu 20.04 based Linux 64bit
  • Wireshark 3.2.5 - you can test this wireshark - v
  • you can use other tools as well but make sure the tool can generate *.pcapng or *.pcap logfiles so we can analyze them

To setup and configure the WiFi HW driver, Linux Network Subsystem as well as Wireshark with all needed parameter we provide here a Script to setup all automatic.

Test Setup

Please try to setup like shown below:

  • setup AP's and DUT with WPA2-PSK CCMP/CCMP security with same key
  • Both AP's were configured with 50ms beacon intervals
  • Both AP's and the DUT are setup on same channel and same bandwidth (20MHz)
  • Try to isolate as much as possible from other WiFi networks of RF noise - best by located all inside a isolation chamber
  • Roaming settings were:
  • Scan Interval: 8 seconds
  • RSSI Delta (2.4 GHz): 9 dBm (may not applicable in this testing.)
  • RSSI Delta (5 GHz): 8 dBm
  • Roam Threshold (2.4 GHz): -50 dBm (may not applicable in this testing.)
  • Roam Threshold (5 GHz): -50 dBm
  • setup diagram TestSetup

generate data traffic

to generate traffic and test the performance use below commands or adapt them according to you needs:

  • Setup Receive System (Linux PC/Laptop/Server)

  • setup with iperf command : iperf -s -u -i1

  • example : iperf -s -u -i1

  • Setup Sender System (Linux PC/Laptop/Server)

  • setup with iperf command : iperf -c<IP of Receiver> -u -b<data rate in Mbit/s>M -i1 -t<how long in s>

  • example : iperf -c192.168.1.2 -u -b1M -i1 -t900

Notes

  • please use the WiFi interface of the HW you want to use phy#*
  • you can easy check this by type without new HW installed iwconfig
  • connect the new HW to your Computer and run iwconfig again - there will be a new device show up wl*
wlxdc4ef4086948  IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off
          
wlp3s0    IEEE 802.11  ESSID:"FALINT"  
          Mode:Managed  Frequency:2.422 GHz  Access Point: 18:A6:F7:F4:D2:48   
          Bit Rate=300 Mb/s   Tx-Power=22 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
  • when start the Script choose the phy#* with the interface name wl* 
phy#2
	Interface wlxdc4ef4086948
		ifindex 8
		wdev 0x200000001
		addr dc:4e:f4:08:69:48
		type managed
		txpower 20.00 dBm
phy#0
	Interface wlp3s0
		ifindex 3
		addr 7c:5c:f8:e4:5d:e6
		type P2P-device
		txpower 0.00 dBm
  • You need to have root access on you Linux system to be able to configure the Network Layer!
  • After Wireshark start use the already marked interface - most probably it will be mon0 by click on the blue left top shark Icon.
  • we recommend to activate the Wireless Toolbar as well go to Wireshark Menu Bar: View -> Wireless Toolbarclick to activate
  • in the Wireless Toolbar mon0 should be shown as Interace and the channel you want to analyze should be shown.
  • by use the drop down box you should be able to select the needed channel
  • if you can NOT change the channel - you setup is not correct.
  • now you should be able to see WiFi packages in the View like shown in this Screenshot
  • generate PSK from SSIS+passphrase converter

procedure of full valid analyze

  1. setup both AP on:
  • same WiFi channel
  • same bandwidth
  • same mode (a/b/g/n)
  • same SSID
  • same WPA2-PSK
  1. setup the Client device:
  • same WiFi channel (like both AP)
  • same bandwidth (like both AP)
  • same mode (a/b/g/n) (like both AP)
  • same SSID (like both AP)
  • same WPA2-PSK (like both AP)
  1. setup the Sniffer analyzer:
  • same WiFi channel (like both AP)
  • same bandwidth (like both AP)
  • same mode (a/b/g/n) (like both AP) (if needed throttle mode down!)
  • setup the PSK in the analyzer tool (see generate PSK above)
  • if PSK ist NOT setup correctly you can NOT decode the WiFi packages and see underlay IP data stream
  1. setup both variable Attunator:
  • 0.25 dB per step
  • dwell time ~250ms
  • one with start at 0 and end with 60dB
  • 2nd with start at 60 and end with 0dB
  • so setup with ~1dB per second and 60dB which will result in ~1 roam per minute
  • dont start Attunator now - keep both at 0dB!
  • start Sniffer / Analyzer now
  • analyzer need to catch all 4 way attachment handshake from the Client to one AP
  • start a iperf receive on a device in AP backend network (iperf -s -u -i1)
  • start/restart Client now to attache one of the AP
  • wait until you see any UDP/IP package like
8845	100.120437221	192.168.222.59	192.168.222.255	UDP	186	5448 → 1027 Len=92
  • if you dont see this after 3-5min and your Client is conneted and can ping the dest. IP please reconnect client again
  • it can be easy happen the sniffer/analyzer can NOT catch the PSK handling!
  • create data traffic via the WiFi by start a iperf on a device connected to the client (iperf -c192.168.1.2 -u -b1M -i1 -t900)
  • setup the needed Speed you prefere
  • start not both Attunator of sweeping
  • log all traffic in a file
  • let it run for about 10min - to be able to catch a min. of 10 roaming events
  • to analyze the roaming time please find in the logfile:
    • last UDP package to AP1 (via MAC address)
    • first UDO package to the AP2 after the roam
    • calculate the time different of both packages