9 September, 2012 (published)
15 September, 2014 (last modified)

Monitoring WiFi traffic of your neighbors

  Categories: Linux
  Tags:  , , ,

I will show how to monitor all WiFi network traffic in the range of your wireless adapter. In a previous post I have explained how to to get your wireless adapter recognized by a computer running Linux. In the following it is assumed you are running Ubuntu. Other Linux flavors require only obvious changes.

Installing necessary monitoring software
We will need a few software packages. Some of them will be in the Ubuntu databases on the web.  Ubuntu has a nifty system of getting software packages from these databases through "apt-get". Only if apt-get cannot find the package you will have to download it from the web yourself. All the programs we need are well-known and can be easily downloaded from the web.

If you download it yourself from the web, only the source code is delivered. In that case you change the current directory into the one containing the downloaded source and compile and install it by running as root (use sudo or a root terminal):

./configure 
make
make install

We will need four programs:

libsqlite3-dev
libpcap*-dev
aircrack-ng
wireshark

Aircrack-ng is cracking tool originally designed for wireless systems running the WEP protocol and could also be download from the Aircrack web site . Wireshark is an extensive network monitoring package and can be downloaded from the Wireshark website. Installing Wireshark under  Ubuntu leads to an added menu item from which it can be started (in addition to starting it from a terminal).

So go ahead and get and install them. On my Ubuntu installing all four is a question of about two minutes.

Preparing your wireless adapter
Now comes the critical part. Open up a terminal window and run iwconfig.

root@HP-MEDIAMARKT:/home/adlag# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

ra0       Ralink ST  AESSID:"SitecomB0994C"  Nickname:"RT2860STA"
          Mode:Managed  Frequency=2.462 GHz  Access Point: 00:0C:F6:B0:99:4C   
          Bit Rate=135 Mb/s   
          RTS thr:off   Fragment thr:off
          Encryption key:98C2-1B83-2D7D-DE83-BB2F-13C9-5C22-7D8F   Security mode:open
          Link Quality=100/100  Signal level:-27 dBm  Noise level:-57 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

wlan0     IEEE 802.11bgn  ESSID:"SitecomB0994C"  
          Mode:Managed  Frequency:2.462 GHz  Access Point: 00:0C:F6:B0:99:4C   
          Bit Rate=1 Mb/s   Tx-Power=20 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=70/70  Signal level=-27 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:9   Missed beacon:0

root@HP-MEDIAMARKT:/home/adlag#

Thus will show all network devices and you should look for the interface name of the wireless adapter you want to use. In my case there are two interfaces: ra0 and wlan0. The interface ra0 is my built-in wireless adapter that cannot be put into monitor mode (at least I could not get it there). The other wlan0 is my Icidu USB 300N wireless adapter. Now you must trigger monitor mode of this adapter. Type (replace wan0 with the interface name of your adapter):

airmon-ng start wlan0

In my case the answer of the system is:

root@HP-MEDIAMARKT:/home/adlag# airmon-ng start wlan0

Found 7 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID	Name
812	avahi-daemon
813	avahi-daemon
886	NetworkManager
912	wpa_supplicant
1113	dhclient
1694	dhclient
2249	dhclient
Process with PID 1694 (dhclient) is running on interface ra0
Process with PID 2249 (dhclient) is running on interface wlan0

Interface	Chipset		Driver

ra0		Ralink 2560 PCI	rt2500
wlan0		Unknown 	usb - [phy0]
				(monitor mode enabled on mon0)

root@HP-MEDIAMARKT:/home/adlag#

Bingo. Somewhere in the answer you must find "monitor mode enabled on " Followed by a monitor interface name. Likely "mon0". If you do not get in the answer the name of a monitor interface your wireless adapter cannot be set in monitor mode with the present driver. Do not forget to first disconnect the adapter if it was connected to your own AccessPoint (yourwireless router)

Your wireless adapter is now spitting out frames (collections of packets) it receives from any AccessPoint within range. Let us now get the frames to the surface. You can use wireshark for this. Start wireshark and start to capture on the interface mon0 (or the appropriate interface name in your case). You will see wireshark capturing many, many frames. The best frames are the beacon frames. Analyzing a beacon frame of any of your neighbor's wireless signals will tell you many of its properties. Including its SSID and al of its encryption methods. It will also tell you whether or not the neighnbor has WPS enabled (see previous post). Look for managed frame with key Microsft vendor: WPS. After a few minutes you should stop wireshark capturing as the amount of data becomes to large.

screenshot-wiresharkIf you click on the picture you will see a screenshot of my wireshark in action. You can see from the beacon frame that my router is WPS enabled and the SSID = "SitecomB0994C"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Write a reaction

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.