Skip to content

Instantly share code, notes, and snippets.

@donalod
Last active August 29, 2015 14:08
Show Gist options
  • Save donalod/d532058bb9ef102ae627 to your computer and use it in GitHub Desktop.
Save donalod/d532058bb9ef102ae627 to your computer and use it in GitHub Desktop.
tsharking802.11
Wireshark/tshark onboard for deeper troubleshooting on OSX?
Monitor Mode (disruptive) for 802.11 Management and Control Frames which contain much richer data about signal, capabilities, other nodes etc..
Note: Testing for more specific/useful frames but right now we just want access to some richer data that can be easily manipulated when a user or network has issues i.e. when "/usr/sbin/system_profiler SPAirPortDataType" and "/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport" are not enough (as per https://gist.github.com/donalod/ba467ffdb2a2531cd13e )
/usr/local/bin/tshark -i en1 -I -L
Data link types of interface en1 when in monitor mode (use option -y to set):
IEEE802_11_RADIO (802.11 plus radiotap header)
PPI (Per-Packet Information)
IEEE802_11 (802.11)
IEEE802_11_RADIO_AVS (802.11 plus AVS radio information header)
RAW (Raw IP)
Multiple Field Types and How to Access:
IEEE802_11_RADIO should have radiotap headers via https://www.wireshark.org/docs/dfref/w/wlan.html while in monitor mode but using the 'wlan.<blah>' doesn't always get you what you want thus... referencing the fields via 'radiotap.dbm_antnoise' etc. https://www.wireshark.org/docs/dfref/r/radiotap.html
Don't forget this is somewhat destructive i.e. this means no in-band signalling/connection for data and breaks your current association by putting your machine's radio in to 'Monitor Mode'.. a non-associated promiscuous mode:
/usr/local/bin/tshark -i en1 -c 100 -I -y IEEE802_11_RADIO
Another example whilst in monitor mode (as opposed to airport -s):
/usr/local/bin/tshark -i en1 -c 100 -I -y IEEE802_11_RADIO -Y 'wlan' -Tfields -e wlan_mgt.ssid
What AP BSSIDs can you see out there?
/usr/local/bin/tshark -i en1 -c 1000 -I -y IEEE802_11_RADIO -Tfields -e wlan.bssid
What Vendors OUI/BSSID is it i.e. resolved based upon local Wireshark OUI DB?
/usr/local/bin/tshark -i en1 -c 1000 -I -y IEEE802_11_RADIO -Tfields -e wlan.bssid_resolved
Let's try some frame headers with signal strengths?
/usr/local/bin/tshark -i en1 -c 1000 -I -y IEEE802_11_RADIO -Tfields -e radiotap.dbm_antsignal
This one below is me just messing with home network called 'podomere-5':
/usr/local/bin/tshark -q -l -c 1000 -i en1 -I -y IEEE802_11_RADIO -Y "wlan.sa==b4:18:d1:e0:5d:39 or wlan.sa==68:a8:6d:4c:76:fc" -Tfields -e wlan.bssid -e wlan_mgt.ssid -e wlan.sa -e wlan.ra -e radiotap.dbm_antnoise -e radiotap.dbm_antsignal -e radiotap.present.db_tx_attenuation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment