Sunday, August 12, 2012

Set up WiFi monitor with Wireshark

Sometimes is necessary to be able to see the traffic generated, or directed to, a WiFi appliance.
There are many possible ways to capture packets from a WiFi appliance, especially if the appliance allows to install packet capture applications.
However not always such thing is possible and considered the nature of the WiFI appliance, it can change the performances.
This article describes how I did set up an external monitor for the traffic to and from a WiFi appliance.


The idea is to put a computer running wireshark between the router WiFi and the rest of the network.
The main constraint is to have a WiFi router SEPARATED by the rest of the network.
This a graphic representing the  setting :

The key part is a laptop with two NIC cards. In my case the laptop is running Kubuntu 12.04

Shopping list

It is needed :
  • 1 laptop with Linux installed, with two ethernet ports
  • 1 PCMCA NIC if the laptop has already an embedded NIC
  • bridge utilities
  • Wireshark 

The environment 

The machine used to build the monitor is a Gateway Tablet running Kubuntu 12.04, plus a LinkSys PCMCA NIC card.
The first step, recognizing the extra NIC card, should not pose any problem.
In my case the LinkSys NIC was recognized and configured automatically by the OS as eth1.
The next step is to install Wireshark from the Kubuntu repository, and enabled it to capture packets from eth0 or eth1.

Bridge setting

After preparing the hardware and tested both the ethx ports, it is necessary to set up the machine to act as a bridge, in order to have packets received from the eth0 port sent to the eth1 port, and viceversa.
Without such functionality, the two networks are isolated, i.e. the phone can not receive anything from the network.

In order to simplify the configuration, I forced on both the NIC a manual address.

    for the eth0 
    for the eth1. 

After opening a terminal, I installed the brctl program (sudo apt-get install bridge-utils).
The bridge-utils are not installed by default in the Kubuntu 12.04 but are available in the repository.
At this point I created, configured and activated a bridge between the two NICs.

  • sudo brctl addbr wshark
    Creates a new bridge called wshark 
  • sudo brctl addif wshark eth0
    Adds the eth0 to the wshark bridge 
  • sudo brctl addif wshark eth1
    Adds the eth1 to the wshark bridge 
  • sudo brctl stp wshark on
    Enables the STP 

After creating the bridge, it has to be activated.
To do so, simply use the ifconfig command :

sudo ifconfig wshark up

At this point the bridge should be working.
Note that after issuing these commands the eth0 and eth1 are not accessible anymore.
It is convenient to create a script with all the above commands to simplify the setting of the system.

Running Wireshark

After the bridge is activated is possible to run Wireshark.

Among the available interfaces to use to capture traffic, it will be present a wshark interface that is the bridge.

To capture data transiting the two inetrfaces, just choose that one.

No comments:

Post a Comment