Official website for Linux User & Developer
FOLLOW US ON:
Feb
9

Monitor your wireless network with Wireshark

by Joey Bernard

Harness the power of Wireshark to keep tabs on your home and business networks

Step 13

Looking at network data

Now that you are capturing data across your whole network, you will see packets travelling across other machines where yours is not directly involved. And yet the full packet is collected and available for analysis.

Step 14

Setting display filters

The other option available to you to narrow down the packets to analyse is by using display filters. You can set them by clicking on Analyze>Display Filters… Here you can select packets based on several different criteria.

Step 15

How many machines

One of the primary issues that you may want to investigate is whether or not there are unauthorised machines present on your network. You can see this by pulling up the list of endpoints visible on your network. To see this window, you will need to click on Statistics>Endpoints. It will be broken down by protocol, depending on what kind of traffic is showing up on your network. The Ethernet tab should give you the physical machines directly connected to your network. The other tabs of most interest are the TCP and UDP tabs. You can find out what kind of traffic is travelling over your network.

Network Monitor
Follow the streams

Step 16

Following streams

When you find traffic of interest, you can get Wireshark to pull out all of the packets relevant to this stream. To this end, you can select a packet and then click on Analyze. If this is a TCP stream, then that particular option will be available. If it is UDP, then that specific option will be available.

Step 17

Flow graphs

You can generate flow graphs showing what the traffic looks like. You have the option of only displaying the currently displayed packets, or all of the captured packets. You can see the traffic, broken up by time, with arrows showing the direction of data flow.

Step 18

Wireless problems

All of the steps until now apply equally to wired and wireless networks. With wireless networks, you have the additional complexity of the medium that the network uses for information transfer. Your data actually needs to travel over the air as an electromagnetic wave. This requires control frames, which aren’t normally captured by Wireshark. What to do?

Step 19

802.11 options

To set extra options for wireless network capture, you will need to pull up the preferences window by clicking on View>Preferences. Under Protocols on the left-hand side, you can find an entry for ‘IEEE 802.11’. Here you can set options like reassembling fragmented datagrams.

Step 20

802.11 decryption keys

This window is also where you can enter decryption keys. This is useful on wireless networks where security is set. You do have security set on your wireless network, don’t you? You can set keys to decrypt WEP and WPA/WPA2 traffic, but the WPA/WPA2 enterprise keys aren’t supported yet. Simply click on the Edit button to add your keys.

Step 21

Installing aircrack-ng

An easy way to set your card into monitor mode is to use the command ‘airmon-ng start wlan0’. This command is part of the aircrack-ng package, so you will probably want to install it, too. This will generate a pseudo-interface which you use to capture data.

Step 22

Starting monitor mode

You can also start monitor mode by hand by using the command iwconfig. If either this or airmon-ng fails, then your card and/or driver probably don’t support monitor mode. There is a very well-written section on the Wireshark wiki covering your options to try to get your card into monitor mode.

Step 23

Looking at WLAN traffic

Wireshark actually has a summary window that shows details of what kind of traffic is travelling over your wireless network. You can see things like the number of beacons, the number of SSIDs and the numbered channels visible to your network card. Selecting a row in the top window will pull down further details in the lower window.

Network Monitoring
WLAN Traffic

Step 24

Generating firewall rules

After finding out what is happening on your wireless network, you may want to tighten up your security by fine-tuning your firewall rules. Clicking on Tools>Firewall ACL Rules to pull up a window. You can select what firewall you want to generate rules for, such as Cisco or IP Filter. This way, you can get tighter control over who does what on your network.

Pages: 1 2
  • Tell a Friend
  • Follow our Twitter to find out about all the latest Linux news, reviews, previews, interviews, features and a whole more.