Wireless Hacks

Hack 39 Tracking 802.11 Frames in Ethereal

Use Ethereal to track wireless frame data it normally can't capture.

In addition to capturing Layer 2 (and greater) traffic on its own, Ethereal can open dump files saved by other tools that incorporate additional data, such as Kismet [Hack #31] or KisMAC [Hack #24]. Recent versions of Ethereal will happily display all 802.11 frame data that these passive monitoring tools can capture (Figure 3-38). This allows you to watch the behavior of devices at the 802.11 protocol layer, which can give you valuable insight into what is actually happening on your wireless network. Keep in mind that Kismet and KisMAC will capture all 802.11 they hear, including data for networks you might not be interested in. This is especially true if you capture data while the tools are scanning all available channels.

Figure 3-38. Ethereal can display 802.11 frames captured by other programs.

To focus on a particular access point, use a display filter on your data. The simplest way to create a filter from scratch is to build it interactively using the filter editor. At the bottom of the screen, click the Filter: button. Next, click Add Expression, which opens the filter editor. Select the information in which you are interested in the Field name pane. Since we are after the BSS ID of an AP, select IEEE 802.11 BSS Id. Click = = as the Relation, and enter the MAC address of your AP in the Value field. You can see this process in Figure 3-39.

Figure 3-39. Use the IEEE 802.11 BSS Id filter to focus on a particular AP.

Click Accept, then OK. Ethereal then filters your data based on the expression you provided. As noted earlier, this language is different than the libpcap filter expression language that tcpdump uses. The resulting expression is shown at the bottom of the main screen, next to the Filter: button. You can build more complex expressions by joining filters together with and and or. Click Apply each time you change your filter to see the effect it has on your data.

If you need to analyze a WEP-encrypted packet dump, then you need to provide the WEP key for Ethereal; otherwise, you will only be able to see encrypted packets. Under Edit Preferences, select Protocols IEEE 802.11. Enter your WEP key data here, and Ethereal automatically decrypts it for you (see Figure 3-40).

Figure 3-40. Supply your own WEP key under protocol Preferences.

If you used AirSnort [Hack #88] to decrypt a WEP stream, you may need to check the Ignore the WEP bit box here. AirSnort decrypts the data, but leaves the WEP bit intact. With this box unchecked, Ethereal will assume that the data is still encrypted, and won't attempt to analyze it further.

Ethereal can filter on virtually every bit in an 802.11 management frame, making it a very useful tool for analyzing a wireless link. Combining Ethereal with Kismet or KisMac makes one of the most flexible and powerful wireless analysis packages available.