Hack 32. Track 802.11 Frames in Ethereal

Use Ethereal to track wireless frame data it normally can't capture.

In addition to capturing Layer 2 and higher traffic on its own, Ethereal can open dump files saved by other tools that incorporate additional data, such as Kismet [Hack #29] or KisMAC [Hack #28]. Recent versions of Ethereal will happily display all 802.11 frame data that these passive monitoring tools can capture, as shown in Figure 2-36.

Figure 2-36. Ethereal displaying 802.11 frames

This allows you to watch the behavior of devices at the 802.11 protocol layer, which can give you valuable insight into what is actually happening on your wireless network. Keep in mind that Kismet and KisMAC will capture all 802.11 data they hear, including data for networks you might not be interested in. This is especially true if you capture data while the tools are scanning all available channels.

To focus on a particular access point, use a display filter on your data in Ethereal. The simplest way to create a filter from scratch is to build it interactively using the filter editor. At the bottom of the screen, click the Filter: button. Next, click Add Expression, which opens the filter editor. Select the information you want to see in the "Field name" pane. Since we are after the ESSID of an access point, select IEEE 802.11 images/U2192.jpg border=0> BSS Id. Click == as the Relation, and enter the MAC address of your access point in the Value field, as shown in Figure 2-37.

Figure 2-37. Creating a filter to focus on a particular access point

Click Accept and then OK. Ethereal then filters your data based on the expression you provided. This language is different than the libpcap filter expression language that tcpdump uses. The resulting expression is shown at the bottom of the main screen, next to the Filter: button. You can build more complex expressions by joining filters together with and and or. To see the effect the change has on your data, click Apply each time you change your filter.

If you need to analyze a WEP-encrypted packet dump, you need to provide the WEP key for Ethereal; otherwise, you will only be able to see encrypted packets. Under Edit images/U2192.jpg border=0> Preferences, select Protocols images/U2192.jpg border=0> IEEE 802.11. Enter your WEP key data here, and Ethereal automatically decrypts it for you, as shown in Figure 2-38.

Figure 2-38. Supplying your own WEP key for decoding

Ethereal can filter on virtually every bit in an 802.11 management frame, making it a useful tool for analyzing a wireless link. Combining Ethereal with Kismet or KisMAC makes one of the most flexible and powerful wireless analysis packages available.

Категории