看板 uefacool作者 uefangsmith (唉呦!不錯哦~)
[Tool] [WireShark] WiFi
時間 2012年08月24日 Fri. PM 09:39:33
#How to: Sniff Wireless Packets with Wireshark
#Ralink usb wireless
(As for USB, if the Wireshark help referred you to, or said something similar to, what http://wiki.wireshark.org/CaptureSetup/USB said, what it's saying is not that you can't capture on USB network adapters - Wireshark doesn't know anything special about USB network adapters, and neither does WinPcap or even the Windows networking stack, so they can't distinguish USB adapters from, for example, PCI adapters - it's saying that you can't capture raw USB traffic at the bus level on Windows the way you can on Linux.)
測試 ping x.x.x.x -l 3000(一個大數)讓frame超過RTS Threshold看看
以監測封包而言，傳統網卡使用的是 Promiscuous Mode，以便擷取所有流經線路上的封包。但是對於無線網卡而言，因為同一個地區可能有多個無線網路，所以採用不一樣的方式。無線網卡使用Monitor Mode，以便擷取所有的訊號。又WiFi有多個無線頻道可以使用，所以必須透過頻道輪流掃描的方式擷取封包，或是僅針對特定的頻道擷取封包。所以有可能還是會有漏網之魚(封包)。另外，如果要對無線網路"塞"假造的封包(這樣的動作稱之為Packet Injection)，更是需要無線網卡本身有支援這樣的功能才行。所以，儘管相容性已經有大幅的改善，但是還是要有合適的無線網卡，才能夠有效的加以操作
Starting from Vista, wireless drivers can be old style (NDIS 5.x) working exactly like in Windows 2000/XP, or native Wifi drivers (NDIS6). In this case the driver is lightweight and delivers 802.11 frames to an intermediate driver (developed by MS) that converts 802.11 frames into cooked 802.3 frames that can be managed by the upper protocols like the TCP/IP stack. This intermediate driver is also responsible for managing association/disassociation, BSSID scans and such. And this intermediate driver is also responsible for filtering the requests coming from the upper protocols (like WinPcap) for the underlying device description, and always returning "Microsoft" instead of e.g. "Intel Wireless 4965 Adapter".
# See Wlan Card Method
Assuming you don't have an Ethernet cable plugged into your system, select Capture > Interfaces. Now go browse a site using your WLAN connection. Return to your Capture Interfaces window. Do you see that any of your adadpters has seen packets? If so, there's your WLAN card.
You can rename the card for easier identification later. Go to Edit > Preferences > Capture > Interfaces:Edit and put in a comment like Native Wireless. When you look at Capture > Interfaces again, you'll see the new name.
# TP-LINK TL-WN821N Wireless N USB Adapter Be not seen in Windows
I have a USB Wireless NIC which is this one: http://www.webdistrib.com/cat/Carte-...emerchWebd&xtor=AL-2392744
So I search how to capture all traffic (sniff) I am in Linux environnement because it doesn't apear in wireshark in windows OS.
If you want to capture the "real" wireless traffic - that means including 802.11 frames for example for probe requests / responses and authentication details you have to have a capable wireless chipset and a driver supporting monitor mode. This is - like Laura already mentioned - done by AirPCAP from Cacetech for example.
You won't see the 802.11 layer unless you enable monitor mode on your WiFi card. Without it, you will only see the ethernet and further layers, but not the radio layer.
On backtrack you can use the airmon-ng utility to enable monitor mode if I remember correctly (has been a while I used it).
This script can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode. Entering the airmon-ng command without parameters will show the interfaces status.http://www.aircrack-ng.org/doku.php?id=airmon-ng
#WLAN (IEEE 802.11) capture setup
#USB to Ethernet Adapter doesn't show under interfaces
Might be a problem with WinPcap. See here: http://www.winpcap.org/pipermail/winpcap-bugs/2010-March/001183.html
Try to reload WinPcap, after you inserted the USB network adapter.
net stop npf
net start npf
RESULT: It did work on my system. tshark -D gave this list of adapters.
Note: NPF (NetGroup Packet Filter Driver)
※ 作者: uefangsmith 時間: 2012-08-24 21:39:33
※ 編輯: uefangsmith 時間: 2012-08-27 10:13:11
※ 看板: uefacool 文章推薦值: 0 目前人氣: 0 累積人氣: 48