Sniffing Wireless Packets using Wireshark in backtrack 5

Sniffing Wireless Packets using Wireshark in backtrack 5

What is Wireshark?

Wireshark is the world's most popular network analyzer. This very powerful tool provides network and upper layer protocols information about data captured in a network.

A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course).In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed. Wireshark is perhaps one of the best open source packet analyzers available today.
 
Getting Wireshark
 

You can download Wireshark for Windows or Mac OS X from its official website. If you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in its package repositories. For example, if you’re using Ubuntu, you’ll find Wireshark in the Ubuntu Software Center.

Start Wireshark by typing Wireshark in the terminal of Backtrack 5.



Once Wireshark is running, click on the Capture | Interfaces sub-menu 

You can capture real time packets from your Ethernet, WLan or monitor mode interface. Here I will be using Mon0 interface to capture real time packets. Select packet capture from the mon0 interface by click on the Start button. Wireshark will begin the capture packets in real time and now you should see packets within the Wireshark windows. These are wireless packets which your Wireless card is sniffing off the air.

Wireshark traces can be a bit daunting at times, and even for a reasonably populated wireless network, you could end up sniffing a few thousand packets. Hence, it is important to be able to drill down to only those packets which interest us. Thus can be accomplished using filters in Wireshark.

How to apply filters in Wireshark
 
Applying filters in Wireshark is fairly easy, the tricky part is remembering which filter you need to procedure the output that you require. The newest versions of Wireshark have made using filter extremely easy.

To view all the Management frames in the packets being captured, enter the filter wlan.fc.type == 0 into the filter windows and click Apply or Enter

To view all the Control Frames, modify the filter expression to read wlan.fc.type == 1

To view the Data Frames, modify the filter expression to wlan.fc.type == 2

To  additionally select a sub-type, use the wlan.fc.subtype filter. For example, to view all the Beacon frams among all Management frames use the following filter wlan.fc.type == 0)&&(wlan.fc.subtype == 8)

Alternatively, you can right-click on any of the header fields in the middle windows and then select Apply as Filter | Selected to add it as a filter

You can view your profile filters that are available by default by clicking on Analyze | Display filters. Here you can add or remove filters that you may use commonly 

The analyzer also a feature called Expert Info, available under the Analyze menu option which displays problems in a trace file and can help to zero in quickly on the root cause of network issues. The Expert does not point out every possible problem that can exist in a capture, but some common problems affecting network and application performance are listed.

The Expert has four levels of severity in its alerts – Errors, Warnings, Notes, and Chats.

•     Errors: These are serious problems such as malformed packets and checksums
•     Warnings: Out-of-Order Packets and application error codes
•     Notes: TCP Retransmissions, Resets, Keep-Alives, Duplicate ACKs, SNMP problems
•     Chats: HTTP Gets, Application calls, TCP SYNs, FINs, basic workflow information