Sniffing wireless is based on the promiscuous/monitor mode support for capturing all packets in along with a good UI/CLI based tool to view and analyze packets.
- NIC HW .
- Driver
- OS/NDIS
Lets take a look at some of the famous packet capture and analyzers in windows
a) Omnipeek
We all are familiar with sniffing in windows using omnipeek which provides a beautiful and flexible UI. It definitely is popular especially among the testers and end-users.But it is costly and also closed-sourced meaning we cannot learn, customize and contribute to it.
It installs its own driver for the given NIC card (it has a list of supported NIC cards) so overcomes the limitations of poor/no promiscuous mode support in the driver.
b) Wireshark
Even though for wired captures we have wireshark , but when it comes to sniffing wireless packets it doesn't work in windows basically due to lack of good support for promiscuous mode in Windows and Also in many wireless NIC's.
But we still can use wireshark for wireless for 2 uses
a) Traffic intended/originated from US. They still can be seen with Link Type as Ethernet. Mainly used for checking contents of above layers like IP/TCP.
b) To see encrypted packets: As wireshark is working in a non-promiscuous mode either AP/STA, all the packets undergo normal processing and are decrypted by the HW and then given to OS which in turn gives to wireshark unlike special processing mode called monitor mode/promiscuous mode.
It doesn't need a separate driver for the NIC card, it used the built-in driver for the NIC from the vendor and captures the packets hence lacks good support for promiscuous mode.
Biggest advantage being customization and faster development time for new features as we have access to the source code which is pretty self-explanatory and easy to add dissectors for new protocols. If something is not supporting yourselves can add the support :-)
There is a command line version called tshark and its sister-tools which make it easy to automate things like capturing and post-processing files.
There is a command line version called tshark and its sister-tools which make it easy to automate things like capturing and post-processing files.
c) AirPcap:
Its a combination of both the above, it uses its own driver and NIC but uses wireshark as the tool for displaying packets captured.
It has some extra plugin's and its own software called cascade pilot and is medium costly compared to omnipeek. It is recommended by wireshark for windows environment.
An entry from the microsoft itself to capture packets in promiscuous modes, even though its not so great and useful as above as only very few HW support it.
It is being replaced by Microsoft Message Analyzer (still beta). It still has the same format but UI is similar to omnipeek, lets say what it has to offer.
In all these above mechanisms:
a) 802.11 header and Payload is provided as is by the driver with the exception of PHY and security related info stripped by the HW.
b) PHY and Security Related information which will be used by HW and normally isn't shared with above layers SW, can be conveyed by the driver to the sniffer tool in below formats, predominantly
- Radiotap: Airpcap
- PPI:
- Proprietary: Omnipeek
- Wireshark: It supports all kinds of wireless meta data formats.
Lets discuss these formats some other time.
How to Put NIC in Promiscuous Mode
In windows we can configure the mode
a) Packet capturing tool: "Capture settings"
b) Advanced Properties Tab specific to the NIC.
c) Rarely, Windows Registry.
How to Put NIC in Promiscuous Mode
In windows we can configure the mode
a) Packet capturing tool: "Capture settings"
b) Advanced Properties Tab specific to the NIC.
c) Rarely, Windows Registry.
No comments:
Post a Comment