Wie erfasst man TCP / IP-Verkehr in einer drahtlosen Verbindung im 802.11x-Frame-Format?

706
Pioneerhfy

Ich benutze ein Wireshark-Programm, um meinen Verkehr zu riechen. Wenn ich den Modus meiner Netzwerkkarte vom verwalteten Modus in den Überwachungsmodus wechsle, sehe ich nur "Beacon-Frames" und "RTS & CTS" -Pakete in Wireshark. Gibt es eine Möglichkeit, TCP / IP-Datenübertragungen mit 802.11x-Frame-Format anstelle von Ethernet in Wireshark oder etwas anderem zu erfassen ?

Separat,

Gibt es eine Möglichkeit, den TCP / IP-Verkehr meiner Funkkarte zu erfassen, ohne in den Überwachungsmodus zu wechseln? Wenn ich den Modus meiner WLAN-Karte in den Überwachungsmodus ändere, ist die Internetverbindung deaktiviert, und ich kann keine Website anschließen. Daher kann ich meinen TCP / IP-Verkehr nicht mithilfe von Wireshark in der drahtlosen Verbindung abhören.

Danke im Voraus.

0

1 Antwort auf die Frage

0
Spiff

In my experience, most wireless cards are not good at maintaining a working network connection while simultaneously doing 802.11 monitor mode packet capture. Usually when one tries to do both simultaneously on the same card, one doesn't end up seeing all the 802.11 packets one was supposed to see; especially 802.11 Acks the card firmware transmitted.

So I recommend against trying to do what you're doing.

If you want to capture all the 802.11 traffic between an AP and a client, set up a separate wireless sniffer machine halfway in between the two devices, and put it in full 802.11 monitor mode (disassociated from all networks, just tuned to the channel that the target AP and client are on). Make sure the sniffer machine's wireless card is capable of all the modulation and coding schemes that the target AP and client both support. For example, if the AP and client are both 3-stream 802.11ac supporting MCS 9x3, you need your sniffer to support 3-stream 802.11ac MCS 9x3 in order to see any traffic the AP or client transmits using that scheme. Even when you get the hardware right, beware that the very nature of MIMO spatial streams and beamforming means that any transmitted signal is so tailored to be perfect for the intended receiver, that there's no guarantee that it will be of sufficient quality for any eavesdropper/sniffer to receive in any other location.

If you do the independent sniffer setup I suggest, make sure your network either uses no security, or, if it's using WPA2-PSK, make sure to start the sniffer before the target client joins the AP. You need to capture the WPA2 key handshake and know the WPA2-PSK passphrase for the network in order to decrypt the traffic from the target client.

If you simply can't set up an independent sniffer, I suggest that you capture packets in normal Ethernet style if you think your problem is at the IP layer or above, and capture packets in "associated monitor mode" if you think the problem is at the 802.11 layer. However, again, you probably won't be able to fully diagnose 802.11 problems this way, as you probably won't see the Acks your client is sending. So there will be gaps in your knowledge of what happened over the air, that will make it hard to diagnose problems.