IEEE 802.11 frame is only accessible at the very low layer of the packet capture. Capture needs to be done in monitor mode and only certain MAC can capture is, in windows it is not really easy as well.
Below command enters the network adapter in monitor mode. Below man page of the TCP dump tell the more options available for this command.
The important parameter to put the adapter in monitor mode is -I
I could not find a good way to exit out of the monitor mode, but restarting the device was exiting the monitor mode. Entering the device to monitor mode will cause the network to be lost.
sudo tcpdump -i en1 -I -s 0 -B 524288 -w ~/Desktop/DumpFile01.pcap
TCPDUMP(1) TCPDUMP(1)
NAME
tcpdump - dump traffic on a network
SYNOPSIS
tcpdump [ -AbdDefgIkKlLnNOPpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ expression ]
DESCRIPTION
Tcpdump prints out a description of the contents of packets on a net-
work interface that match the boolean expression. It can also be run
with the -w flag, which causes it to save the packet data to a file for
later analysis, and/or with the -r flag, which causes it to read from a
saved packet file rather than to read packets from a network interface.
In all cases, only packets that match expression will be processed by
tcpdump.
:
Below command enters the network adapter in monitor mode. Below man page of the TCP dump tell the more options available for this command.
The important parameter to put the adapter in monitor mode is -I
I could not find a good way to exit out of the monitor mode, but restarting the device was exiting the monitor mode. Entering the device to monitor mode will cause the network to be lost.
sudo tcpdump -i en1 -I -s 0 -B 524288 -w ~/Desktop/DumpFile01.pcap
TCPDUMP(1) TCPDUMP(1)
NAME
tcpdump - dump traffic on a network
SYNOPSIS
tcpdump [ -AbdDefgIkKlLnNOPpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ expression ]
DESCRIPTION
Tcpdump prints out a description of the contents of packets on a net-
work interface that match the boolean expression. It can also be run
with the -w flag, which causes it to save the packet data to a file for
later analysis, and/or with the -r flag, which causes it to read from a
saved packet file rather than to read packets from a network interface.
In all cases, only packets that match expression will be processed by
tcpdump.
:
No comments:
Post a Comment