Last active
August 29, 2015 14:08
-
-
Save donalod/d532058bb9ef102ae627 to your computer and use it in GitHub Desktop.
tsharking802.11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Wireshark/tshark onboard for deeper troubleshooting on OSX? | |
Monitor Mode (disruptive) for 802.11 Management and Control Frames which contain much richer data about signal, capabilities, other nodes etc.. | |
Note: Testing for more specific/useful frames but right now we just want access to some richer data that can be easily manipulated when a user or network has issues i.e. when "/usr/sbin/system_profiler SPAirPortDataType" and "/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport" are not enough (as per https://gist.github.com/donalod/ba467ffdb2a2531cd13e ) | |
/usr/local/bin/tshark -i en1 -I -L | |
Data link types of interface en1 when in monitor mode (use option -y to set): | |
IEEE802_11_RADIO (802.11 plus radiotap header) | |
PPI (Per-Packet Information) | |
IEEE802_11 (802.11) | |
IEEE802_11_RADIO_AVS (802.11 plus AVS radio information header) | |
RAW (Raw IP) | |
Multiple Field Types and How to Access: | |
IEEE802_11_RADIO should have radiotap headers via https://www.wireshark.org/docs/dfref/w/wlan.html while in monitor mode but using the 'wlan.<blah>' doesn't always get you what you want thus... referencing the fields via 'radiotap.dbm_antnoise' etc. https://www.wireshark.org/docs/dfref/r/radiotap.html | |
Don't forget this is somewhat destructive i.e. this means no in-band signalling/connection for data and breaks your current association by putting your machine's radio in to 'Monitor Mode'.. a non-associated promiscuous mode: | |
/usr/local/bin/tshark -i en1 -c 100 -I -y IEEE802_11_RADIO | |
Another example whilst in monitor mode (as opposed to airport -s): | |
/usr/local/bin/tshark -i en1 -c 100 -I -y IEEE802_11_RADIO -Y 'wlan' -Tfields -e wlan_mgt.ssid | |
What AP BSSIDs can you see out there? | |
/usr/local/bin/tshark -i en1 -c 1000 -I -y IEEE802_11_RADIO -Tfields -e wlan.bssid | |
What Vendors OUI/BSSID is it i.e. resolved based upon local Wireshark OUI DB? | |
/usr/local/bin/tshark -i en1 -c 1000 -I -y IEEE802_11_RADIO -Tfields -e wlan.bssid_resolved | |
Let's try some frame headers with signal strengths? | |
/usr/local/bin/tshark -i en1 -c 1000 -I -y IEEE802_11_RADIO -Tfields -e radiotap.dbm_antsignal | |
This one below is me just messing with home network called 'podomere-5': | |
/usr/local/bin/tshark -q -l -c 1000 -i en1 -I -y IEEE802_11_RADIO -Y "wlan.sa==b4:18:d1:e0:5d:39 or wlan.sa==68:a8:6d:4c:76:fc" -Tfields -e wlan.bssid -e wlan_mgt.ssid -e wlan.sa -e wlan.ra -e radiotap.dbm_antnoise -e radiotap.dbm_antsignal -e radiotap.present.db_tx_attenuation |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment