This is the Third part in a series where we use our network WiFi adapter and capture data using various methods and take the Pcap capture files and methodically pick through them and analyse the different types of useful information we can extract. All based around Kali and Ubuntu linux computers, multiple access points, and a variety of target devices, we will use a variety of tools available today to complete our analysis of the data we find. Usually there are multiple ways to accomplish a particular task so I try to experiment with different methods in an attempt to find the best method for the task at hand.
All of these examples shown here are using captures of traffic from my own computers and access points.
In the previous part of the series, Pcap capture : Extract SSID AP names, we used tools such as tcpdump, pyrit, and some python code to view and extract SSID and BSSID information from our pcap capture file. You can use various methods to analyze your capture files, and choosing the correct tool for the task is key to successfully parsing out the data you require. Command line tools are fast and powerful and can be extremely helpful in extracting information. CLI tools also have a unique advantage in the ability to customize on how we process the information and pass data from one tool to another with the help of scripts and wrapper code. Graphical tools such as Wireshark can give us advantages over cli tools and allow us to visualize large amount of data quickly to assist in the analysis of the capture files.
In this part we will use Wireshark to view the SSID information and allow us to visualize what networks we can see and see the amount of traffic it has.
Background on 802.11 and RadioTap headers
If you have a capture file that you created using your wifi interface in monitor mode, then you should have RadioTap headers included in your file. The IEEE 802.11 WLAN standard consists of 3 different packet types: management, control, and data. When your wireless network interface is placed in monitor mode, (what is known as promiscuous mode on lan interfaces) it allows the network interface to capture all of the data, even if the data is not intended for your specific interface. Typically in managed mode, your interface will automatically discard packets directed to other interfaces as well as the management and control packets that are utilized to communicate over the radio waves.
These management and control packets are included what is known as the RadioTap headers. The management packets contain all of the information about the access points. These packets are how your wifi interface knows what access points are available, what the access points capabilities are and how to connect. Management packets are used to support authentication, association, and synchronization and will be the focus in this article.
View all BSSID and their SSID names for all access points found in the capture
Having the ability to visualize certain parts of the capture file can give us a much better understanding of what sort of information the pcap file contains. We'll load up the capture file in Wireshark and focus in on the access points we were able to capture.
Wireshark is a free and open source packet analyser software that runs on all major platforms (Windows, Linux, OS X). It can not only do the actual captures, but can graphically show us all of the information located inside each packet frame by frame.
Open up the capture file in Wireshark
File > Open and browse to location of your capture file
Once we have the file open, we want to start to use the power of display filters. There are hundreds of filters, and with the ability of combining boolean logic (and, or, not) we can create endless combinations to really assist in allowing us to focus in on the specific data we want to analyze. One way to create a display filter is just to type it in to the display Filter: field. The problem with this is you need to know the filter and specific syntax required. On common filters you may use day to day, this is easy, but once you start looking and scrolling frame by frame all of the viewable data, this can become a bit cumbersome.
What I like to do is to focus in on a specific part of a packet that I am looking for and right click on that point,
Apply as Filter > and choose the specific logic (Selected, Not Selected, etc), either to include or exclude certain types of packets.
Scroll through in the Packet List window and find a Beacon frame, in a monitor mode capture file, these Beacons frames will be the bulk of the 802.11 radio tap type frames you will see in your file.
Once you click on any Beacon Frame, look down in the Packet Details window and find IEEE 802.11 wireless LAN management frame, right click and select
Apply as Filer > Selected
You'll notice now the Display Filter field has automatically been populated with the correct filter syntax to view only 802.11 management filters (wlan_mgt). Now your Packet List window should contain Beacons, Probe Responses, Probe Requests and possibly a few more types of packets. The Beacon packets are sent out from access points and are used to broadcast their SSID names. The Probe Responses are also sent out from access points, this also includes the SSID names, but these are only sent out if a wifi interface sends a Probe Request. Through these Probe Responses are how we can find hidden SSID names (a client wifi interface would need to send a probe request first in order for us to capture the hidden SSID name). Probe Requests are sent out from client wifi interfaces and can provide insight on what sort of networks they may connect to.
WLAN Traffic Statistics
Viewing the information with the aid of the wlan_mgt display filter, can give a general idea of what was captured in our pcap file. If we want a more visual look, with much more aggregated data at a glance we will use Wlan Traffic, a Wireshark tool used to give us detailed statistics on what's contained in the capture file. Giving us details on all of the SSIDs, beacons, probe requests and overall traffic on a particular network.
With the capture file open in Wireshark, click on
Statstics > WLAN Traffic
By clicking on any single column, we can sort through the vast information contained in our pcap capture file, and find which networks are open, which are secured, which networks carry the most data, probe requests sent out from nearby interfaces, etc. It's a powerful look at a lot of details at a single glance. You can see in the example above is an SSID with the name <Broadcast> which in fact is a hidden SSID, Wireshark simple names it this for readability, we haven't picked up the probe request/probe response from this particular network in our file, so we do not know the actual name. There are methods to assist in forcing probe requests, to quickly indentify hidden SSIDs if their are clients associated on that particular access point, but we will save that for another article.
When needing to visualize large amounts of data quickly from your capture files, using tools such as Wireshark can be an invaluable resource. You can easily narrow down what the intended target network maybe for closer inspection among the large data included in capture files. Using display filters by either excluding packets that are of no interest to your analysis, or focusing in on only a certain protocol, you can clean up your packet view to allow you to find the details you are looking for.
Previous: Pcap capture : Extract SSID AP names
Were we use command line tools such as tcpdump, pyrit, and a little bit of python code to extract and view the SSID/BSSID information from a capture file.
Next: Pcap capture : Separate and single out a single network...coming soon