Home > Analysis, Resources, Software > Over-the-air wireless data frame capture

Over-the-air wireless data frame capture

September 21, 2017

Patent analysis often involves investigating how a particular solution functions in order to determine the potential for use of a given patented claim, and sometimes this investigation entails analyzing wirelessly-communicated data.

In an earlier post I described how to capture IP packets sent to/from wireless devices by using a Windows OS computer as a wireless hotspot together with Wireshark, a packet capture and analysis software tool. While that technique works well for capturing and analyzing IP packets communicated between a wireless device on the wireless LAN (WLAN) and a remote server, that technique does not capture lower-level point-to-point MAC frames communicated between devices on the WLAN, such as between the hotspot computer and a wireless device or between two wireless devices connected to the WLAN.

Within a WLAN, devices do not need to leverage transport or network packets (e.g., TCP/IP) to communicate with one another since they are on a shared medium and so can use the data link instead. To capture the frames sent on the shared wireless medium, there is another process I can recommend. This process provides for capturing communicated frames, such as between a computer application and a smartphone on the WLAN. The guidance below presumes that you have permission to capture wireless frames transmitted over the wireless network.

  1. Fire up an unencrypted IEEE 802.11g wireless access point on a channel that is free or the least crowded. The “g” aspect is important, because newer protocols such as “n” and “ac” complicate capture due to variables like channel width and spatial streams. Having the access point be passcode-free and unencrypted is important as well because it allows for reading frames in the clear (presuming no other encryption is used for the transported data), though it is possible to use Wireshark to decrypt encrypted channels if you know the credentials — this is not covered herein.
  2. Boot Kali Linux on a computer. Kali is a Linux distribution with tools built in for performing penetration testing.
  3. Connect a wireless adapter that support IEEE 802.11g along with “monitor mode.” An example is Panda’s PAU05 300Mbps Wireless 802.11n USB Adapter — I have found that this particular adapter works well. Some other monitor mode wireless adapters that may function well are listed here and here.
  4. Use Kali built-in tools like airmon-ng and airodump-ng to monitor Wi-Fi channels and capture data while your devices under test are communicating. This further article on passive Wi-Fi connection sniffing provides alternate, but similar, techniques in deep detail.
  5. Once you have captured the sequence of data you wish, discontinue the capture and open the resulting “PCAP” file in Wireshark, which is conveniently preloaded in the Kali Linux distribution. In Wireshark you can analyze the data there.

Obviously much more could be written about each of the tools and protocols above, and indeed, books have been written about each. However, here you have a short list of high-level steps to perform for passive Wi-Fi data sniffing, along with a complete set of the hardware and software you will need.

For potential future discussion is packet capture in a wired network, such as via Ethernet.

 

  1. No comments yet.
  1. September 21, 2017 at 4:37 pm
Comments are closed.
%d bloggers like this: