Capture WiFi traffic on Linux
Some of the public trains in the Netherlands have free WiFi. To create a connection with the hotspot, there is a simple open network you connect to. You then agree to the terms and you can start using it.
Because the WiFi is an open network, all packets going in and out fly through the air without any encryption. This makes any client that does not use any kind of protocol encryption, burst their data online, including any cookies and session information they might share over HTTP (not HTTPS ofcourse). Theoretically you could join somebodies online game or mimic them by having the browser access everything they access (I would love to see a Selenium implementation for this!).
Let's have some simple fun by capturing all the packets using aircrack-ng and then extracting all the images we can find using driftnet. First we set up monitoring on our wireless device:
sudo airodump-ng start wlan0
As you can see, my wireless device is
wlan0, you can find out yours by using
iwconfig and picking the device that has a wireless extension.
The output of
airodump-ng start will tell you which device it has set up for monitoring (usually
mon0, again you can check with
iwconfig). You should now be able to capture packets from it using
sudo airodump-ng --write captured mon0. But because we are only interested in packets some of the packets, let's narrow our capture.
First find out the channel, so we don't have to hop channels. Run
sudo iwlist scan|less and pick the channel you are interested in (
--channel 1). Also we only need
pcap output for Wireshark and driftnet (
--output-format pcap). And we only find unencrypted stuff interesting (
This sums up to:
sudo airodump-ng --encrypt OPN --output-format pcap -a --channel 1 --write captured mon0
We should now have a file called
--write captured). You can analyze all packets by opening the file in Wireshark. But there is another fun thing you can try: extract all images you can find using driftnet.
mkdir images driftnet -f captured-01.cap -d images -a
This will tell drifnet to use the capture file (
-f), dump any found images in the
images directory (
-d) and leave the whole GUI out of it.
You could also run driftnet on your monitoring interface
mon0 directly, but make sure you are prepared for what might pop up on your screen.