Before we go off to dive into the deep waters of the Wi-Fi sea, it is time to invite our good seafaring friend, Wireshark, to the scene. Just as we had used Wireshark to capture traffic on our wired Ethernet networks in the previous chapters, we will now use it to capture the Wi-Fi network traffic.
Sniffing Wi-Fi traffic can be quite challenging. Wireless networks work on multiple channels and use different frequencies, even in the same location. The challenge is to select a specific static channel. The next challenge is identifying the channel number that we have decided to capture.
Another important factor to consider is the distance between the point of capture and the transmitting point. The greater the range, the less reliable the collection. Interference and collisions can also affect the quality of capture. As discussed earlier, certain network frequencies are subject to interference by devices such as cordless phones and microwave ovens.
Before we begin sniffing, we need to manually set up our network interface in the monitor mode. Most drivers for Wi-Fi NIC's under Linux use the Linux wireless interface, which provides us the ability to configure the wireless card in the monitor mode. Unfortunately, Windows does not offer us that capability, therefore, we need to use specialized software such as AirPcap before we begin our capture. Of course, the best solution is to use a bootable distribution of Kali Linux. This has a plethora of open source tools that are very useful for all sorts of activities related to forensics and network security.
As in the case of wired (Ethernet) networks, we will use Wireshark to capture network traffic.
The following are the three different types of traffic that we may wish to capture:
Before we take this exercise further, we need to understand the type of packets that exist. The 802.11 traffic has data packets (these are normal packets), management packets, and low-level control packets. Packets can be unicast, multicast, or broadcast:
To capture any traffic other than the unicast traffic, the wireless network interface will need to be set to the monitor mode. This can be done in most Linux and Mac implementations. Lets take a look at the following steps to do this:
.pcap
file. To stop the capture, we will click on the red button shown in the following image:.pcap
file. This is done as per the following screenshot:This is quite important as the saved .pcap
capture file can be analyzed in greater detail at a later time.
Now that we have collected the evidence (or sniffed it, as in this case) it is time to mine through the data capture packets in order to make sense of the data that we have collected.
While it is very tempting to dive straight away into viewing the packet headers and contents, that will just end up confusing you as an investigator.
The best way to begin is to start by getting an overview of all the data that has been captured, baseline the environment, identify the focus areas, and narrow the focus using filters.
Let's start by loading our previously saved packet capture file:
This information provides us a baseline from where we initiate our investigation.
We can carry out a similar analysis on the IP addresses involved in conversations with each other, as shown in the following screenshot:
Geocoded IP address information in database form is available for use in both paid and unpaid versions at https://www.maxmind.com/en/home. When this is correctly installed and configured to work in these versions of Wireshark that are compiled with GeoIP code, it acts as a further enhancement of this already-powerful tool.
To determine whether the version downloaded by you is compatible with the GeoIP database, navigate to Help | About Wireshark.
In the window that pops up, there is a section that talks about the different modules that the downloaded version of Wireshark has been compiled with. If this mentions GeoIP, as shown in the following screenshot, then your version of Wireshark is set to go places:
As an example, if we wish to look at only the traffic that adheres to the HTTP protocol, we need to type http
in our filters box. As we type in the box, the color of the box changes from red (unacceptable/meaningless input) to yellow (needs refinement) to green (acceptable). When we hit the apply button, the display will change to show us all the packets that comply with our requirement, as shown in the following screenshot:
We can further trace the complete TCP stream by right-clicking on the packet to view this in more detail. The following screenshot shows us the options when we right click on a packet:
The output is as follows:
This window, as we can see, carries a plethora of information, including errors such as malformed SSL and TCP packets, warnings, notes, and so on. All of these add to our knowledge about the various activities on our network:
18.116.15.161