There are many possible ways to capture packets from a WiFi appliance, especially if the appliance allows to install packet capture applications.
However not always such thing is possible and considered the nature of the WiFI appliance, it can change the performances.
This article describes how I did set up an external monitor for the traffic to and from a WiFi appliance.
Basics
The idea is to put a computer running wireshark between the router WiFi and the rest of the network.
The main constraint is to have a WiFi router SEPARATED by the rest of the network.
This a graphic representing the setting :
Shopping list
It is needed :- 1 laptop with Linux installed, with two ethernet ports
- 1 PCMCA NIC if the laptop has already an embedded NIC
- bridge utilities
- Wireshark
The environment
The machine used to build the monitor is a Gateway Tablet running Kubuntu 12.04, plus a LinkSys PCMCA NIC card.The first step, recognizing the extra NIC card, should not pose any problem.
In my case the LinkSys NIC was recognized and configured automatically by the OS as eth1.
The next step is to install Wireshark from the Kubuntu repository, and enabled it to capture packets from eth0 or eth1.
Bridge setting
Without such functionality, the two networks are isolated, i.e. the phone can not receive anything from the network.
In order to simplify the configuration, I forced on both the NIC a manual address.
- 192.168.2.71
for the eth0 - 192.168.2.72
for the eth1.
The bridge-utils are not installed by default in the Kubuntu 12.04 but are available in the repository.
At this point I created, configured and activated a bridge between the two NICs.
- sudo brctl addbr wshark
Creates a new bridge called wshark - sudo brctl addif wshark eth0
Adds the eth0 to the wshark bridge - sudo brctl addif wshark eth1
Adds the eth1 to the wshark bridge - sudo brctl stp wshark on
Enables the STP
After creating the bridge, it has to be activated.
To do so, simply use the ifconfig command :
sudo ifconfig wshark up
At this point the bridge should be working.
Note that after issuing these commands the eth0 and eth1 are not accessible anymore.
It is convenient to create a script with all the above commands to simplify the setting of the system.
Running Wireshark
After the bridge is activated is possible to run Wireshark.
Among the available interfaces to use to capture traffic, it will be present a wshark interface that is the bridge.
To capture data transiting the two inetrfaces, just choose that one.
No comments:
Post a Comment