Solutions in this chapter:
Techniques for Effective Wireless Snifﬁng
Understanding Wireless Card Operating
Conﬁguring Linux for Wireless Snifﬁng
Conﬁguring Windows for Wireless Snifﬁng
Using Wireless Protocol Dissectors
Useful Wireless Display Filters
Leveraging Wireshark Wireless Analysis
Solutions Fast Track
Frequently Asked Questions
Chapter 6 • Wireless Snifﬁng with Wireshark
Wireless networking is a complex ﬁeld. With countless standards, protocols, and implementations, it is not uncommon for administrators to encounter conﬁguration issues that require sophisticated troubleshooting and analysis mechanisms. Fortunately, Wireshark has sophisticated wireless protocol analysis support to help administrators troubleshoot wireless networks. With the appropriate driver support, Wireshark can capture trafﬁc “from the air” and decode it into a format that helps administrators track down issues that are causing poor performance, intermittent connectivity, and other common problems. Wireshark is also a powerful wireless security analysis tool. Using Wireshark’s display ﬁltering and protocol decoders, you can easily sift through large amounts of wireless trafﬁc to identify security vulnerabilities in the wireless network, including weak encryption or authentication mechanisms, and information disclosure risks.You can also perform intrusion detection analysis to identify common attacks against wireless networks while performing signal strength analysis to identify the location of a station or access point (AP).
This chapter introduces the unique challenges and recommendations for trafﬁc snifﬁng on wireless networks. We examine the different operating modes supported by wireless cards, and conﬁgure Linux and Windows systems to support wireless trafﬁc capture and analysis using Wireshark and third-party tools. Once you have mastered the task of capturing wireless trafﬁc, you will learn how to leverage Wireshark’s powerful wireless analysis features, and learn how to apply your new skills.
Challenges of Snifﬁng Wireless
Traditional network snifﬁng on an Ethernet network is fairly easy to set up. In a shared environment, an analysis workstation running Wireshark starts a new packet capture, which conﬁgures the card in promiscuous mode and waits until the desired amount of trafﬁc has been captured. In a switched environment, you need to conﬁgure a span port that mirrors the trafﬁc sent to other stations, before initiating the packet capture. In both of these cases, it is easy to initiate a packet capture and start collecting trafﬁc for analysis. When you switch to wireless analysis, however, the process of trafﬁc snifﬁng becomes more complicated and requires additional decisions up front to best support the analysis you want to perform.
Selecting a Static Channel
Where a wired network offers a single medium mechanism for packet capture (i.e., the wire), wireless networks can operate on multiple wireless channels using different www.syngress.com
Wireless Snifﬁng with Wireshark • Chapter 6
frequencies in the same location. A table of wireless channel numbers and the corresponding frequencies is listed in Table 6.1. Even if two wireless users are sitting side-by-side, their computers may be operating on different wireless channels.
Table 6.1 Wireless Frequencies and Channels
Frequency Channel Number