Sunday, November 11, 2012

tshark and airmon-ng to capture SSID broadcasts: article 201205

Take aways: 
Your chip set must be able to drop into monitor mode.
Command to enable monitor mode: airmon-ng start
Command to determine available link-layer header types: tshark -i -I -L

At the time of this writing I am taking a class developed and presented by Vivek Ramachandran titled SecurityTube Python Scripting Expert.  A project in the class is to use write a program that will capture SSID broadcasts.  To capture informaiton at this level you must place your NIC into monitor mode.  As to why, the Wireshark Wiki provides great information and instructions.

It took some, reading, some fiddling, and I still have questions for myself, such as why am I not seeing all SSID's but below is how I was finally able to see SSID broadcasts.

The card I am using is a D-Link USB wifi card purchase many years back

I am running Backtrack BT5R1 as a VM on a Windows 7 host using VM Workstation 9.

Running the command:

    airmon-ng check

shows what processes are running and a note is provided that it could cause trouble.  To kill the process I choose to use the command:


Next to put the card in monitor mode I ran the airmon-ng start command:

    airmon-ng start

Notice in the above image that monitor mode is enabled on "mon0" not "wlan0"

Next comes tshark to capture SSID's.  I recommend reading the Wireshark Wiki link at the beginning of this post. First is the command to see what link-layer headers are available:

    tshark -i -I -L 
    tshark -i -L

The "-I" switch stands for monitor mode.  This is something I need to research further because based on wiki I thought I had to use it but when I did I received error messages which I will show in a screen shot below.

First here are what the commands provided me:

And now to capture SSID broadcasts, at least the one that worked for me:

    tshark -i -y IEEE802_11_RADIO

I am not sure if I am in true "monitor" mode because when I use the "-I" switch I get the following.  Which was frustrating because I just stumbled on to the fact that I could see SSID's without it.

Also of interest when I run this in my VM I only see the one SSID. When I run this another laptop with Backtrack5 R3 and it's built in NIC I see more SSID's but not all the ones that I know are in my area. You can see there are a few more in the background of the picture of my D-Link USB NIC; but even this isn't all of them.

Any suggestions, advice, or answers would be much appreciated!

Any way.... It is a good start for and now to get back to my Python scripting!