donalod/basicsharking1

## basicsharking1
Wireshark/tshark onboard for deeper troubleshooting on OSX?

Monitor Mode (disruptive) for 802.11 Management and Control Frames which contain much richer data about signal, capabilities, other nodes etc..
Note: Testing for more specific/useful frames but right now we just want access to some richer data that can be easily manipulated when a user or network has issues i.e. when "/usr/sbin/system_profiler SPAirPortDataType" and "/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport" are not enough (as per https://gist.github.com/donalod/ba467ffdb2a2531cd13e )

/usr/local/bin/tshark -i en1 -I -L
Data link types of interface en1 when in monitor mode (use option -y to set):
  IEEE802_11_RADIO (802.11 plus radiotap header)
  PPI (Per-Packet Information)
  IEEE802_11 (802.11)
  IEEE802_11_RADIO_AVS (802.11 plus AVS radio information header)
  RAW (Raw IP)

Multiple Field Types and How to Access:

IEEE802_11_RADIO should have radiotap headers via https://www.wireshark.org/docs/dfref/w/wlan.html while in monitor mode but using the 'wlan.<blah>' doesn't always get you what you want thus... referencing the fields via 'radiotap.dbm_antnoise' etc. https://www.wireshark.org/docs/dfref/r/radiotap.html

Don't forget this is somewhat destructive i.e. this means no in-band signalling/connection for data and breaks your current association by putting your machine's radio in to 'Monitor Mode'.. a non-associated promiscuous mode:
/usr/local/bin/tshark -i en1 -c 100 -I -y IEEE802_11_RADIO

Another example whilst in monitor mode (as opposed to airport -s):
/usr/local/bin/tshark -i en1 -c 100 -I -y IEEE802_11_RADIO -Y 'wlan' -Tfields -e wlan_mgt.ssid

What AP BSSIDs can you see out there?
/usr/local/bin/tshark -i en1 -c 1000 -I -y IEEE802_11_RADIO -Tfields -e wlan.bssid

What Vendors OUI/BSSID is it i.e. resolved based upon local Wireshark OUI DB?
/usr/local/bin/tshark -i en1 -c 1000 -I -y IEEE802_11_RADIO -Tfields -e wlan.bssid_resolved

Let's try some frame headers with signal strengths?
/usr/local/bin/tshark -i en1 -c 1000 -I -y IEEE802_11_RADIO -Tfields -e radiotap.dbm_antsignal

This one below is me just messing with home network called 'podomere-5':
/usr/local/bin/tshark -q -l -c 1000 -i en1 -I -y IEEE802_11_RADIO -Y "wlan.sa==b4:18:d1:e0:5d:39 or wlan.sa==68:a8:6d:4c:76:fc" -Tfields -e wlan.bssid -e wlan_mgt.ssid -e wlan.sa -e wlan.ra -e radiotap.dbm_antnoise -e radiotap.dbm_antsignal -e radiotap.present.db_tx_attenuation
	Wireshark/tshark onboard for deeper troubleshooting on OSX?

	Monitor Mode (disruptive) for 802.11 Management and Control Frames which contain much richer data about signal, capabilities, other nodes etc..
	Note: Testing for more specific/useful frames but right now we just want access to some richer data that can be easily manipulated when a user or network has issues i.e. when "/usr/sbin/system_profiler SPAirPortDataType" and "/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport" are not enough (as per https://gist.github.com/donalod/ba467ffdb2a2531cd13e )

	/usr/local/bin/tshark -i en1 -I -L
	Data link types of interface en1 when in monitor mode (use option -y to set):
	IEEE802_11_RADIO (802.11 plus radiotap header)
	PPI (Per-Packet Information)
	IEEE802_11 (802.11)
	IEEE802_11_RADIO_AVS (802.11 plus AVS radio information header)
	RAW (Raw IP)

	Multiple Field Types and How to Access:

	IEEE802_11_RADIO should have radiotap headers via https://www.wireshark.org/docs/dfref/w/wlan.html while in monitor mode but using the 'wlan.<blah>' doesn't always get you what you want thus... referencing the fields via 'radiotap.dbm_antnoise' etc. https://www.wireshark.org/docs/dfref/r/radiotap.html

	Don't forget this is somewhat destructive i.e. this means no in-band signalling/connection for data and breaks your current association by putting your machine's radio in to 'Monitor Mode'.. a non-associated promiscuous mode:
	/usr/local/bin/tshark -i en1 -c 100 -I -y IEEE802_11_RADIO

	Another example whilst in monitor mode (as opposed to airport -s):
	/usr/local/bin/tshark -i en1 -c 100 -I -y IEEE802_11_RADIO -Y 'wlan' -Tfields -e wlan_mgt.ssid

	What AP BSSIDs can you see out there?
	/usr/local/bin/tshark -i en1 -c 1000 -I -y IEEE802_11_RADIO -Tfields -e wlan.bssid

	What Vendors OUI/BSSID is it i.e. resolved based upon local Wireshark OUI DB?
	/usr/local/bin/tshark -i en1 -c 1000 -I -y IEEE802_11_RADIO -Tfields -e wlan.bssid_resolved

	Let's try some frame headers with signal strengths?
	/usr/local/bin/tshark -i en1 -c 1000 -I -y IEEE802_11_RADIO -Tfields -e radiotap.dbm_antsignal

	This one below is me just messing with home network called 'podomere-5':
	/usr/local/bin/tshark -q -l -c 1000 -i en1 -I -y IEEE802_11_RADIO -Y "wlan.sa==b4:18:d1:e0:5d:39 or wlan.sa==68:a8:6d:4c:76:fc" -Tfields -e wlan.bssid -e wlan_mgt.ssid -e wlan.sa -e wlan.ra -e radiotap.dbm_antnoise -e radiotap.dbm_antsignal -e radiotap.present.db_tx_attenuation