Monitoring wireless networks
From Ever changing code
This is another All-In-One page for wireless monitoring solutions. The easiest is to use Kali Linux http://www.kali.org/ . Please follow a few steps to create bootable Live USB:
Kali Linux Live USB
- Download ISO from http://www.kali.org/downloads/ or using wget command
- Install progress bar package to show information about a data transfer. It is not required to write the image to usb but it is useful to see progress bar. Install bar package but just to remember to append -s <file_size>. Another way to see the progress is to install pv Pipe Viewer package.
apt-get install bar && apt-get install pv
- Copy image on usb drive. Please make sure that you use correct device to write the image as it will not warn you when writting. In ubuntu useful commands are: lsusb or mount
sudo dd if=kali.iso | bar -s 2.2g | sudo dd of=/dev/sdc bs=512 dd if=kali.iso | pv | sudo dd of=/dev/sdb bs=512kor
dd if=kali.iso of=/dev/sdb bs=512k& pid=$! && while true; do kill -USR1 $pid && sleep 1 && clear; done
The important thing to grasp here is the fact that you can keep an eye on 'dd' as it's running to see where you are at during its execution.
For persistance mode please follow this steps at Kali documentation http://docs.kali.org/installation/kali-linux-live-usb-install
Kali Linux Persistence mode
- create additional partition (persistance space) on usb stick using gparted and make sure the volume label of the newly created partition is 'persistence', and format it using the ext4 filesystem.
- mount the partition, create in its main folder file persistence.conf file and edit adding one line / union, unmount and reboot
mkdir /mnt/usb mount /dev/sdb2 /mnt/usb echo "/ union" >> /mnt/usb/persistence.conf umount /mnt/usb
- select Live boot from the menu (don’t press enter) when the Kali Linux boot screen is displayed, then press the tab button. This will allow you to edit the boot parameters. Add the word persistence to the end of the boot parameter line each time you want to mount your persistent storage.
- Kali will boot and it will mount root folder to /dev/sdb2 where all changes are saved. Below is part of
mountoutput to visualise it.
/dev/sdb2 on /lib/live/mount/persistence/sdb2 type ext4 (rw,noatime,data=ordered)
root@kali:/lib/live/mount/persistence/sdb2# ls -al total 64 drwxr-xr-x 12 root root 4096 Aug 11 11:04 . drwxr-xr-x 3 root root 4096 Aug 11 11:04 .. drwxr-xr-x 15 root root 4096 Aug 11 11:09 etc drwxr-xr-x 3 root root 4096 Aug 11 11:04 home drwxr-xr-x 3 root root 4096 Mar 15 09:51 lib drwx------ 2 root root 16384 Aug 11 10:56 lost+found drwxr-xr-x 7 root root 4096 Aug 11 11:04 media -rw-r--r-- 1 root root 8 Aug 11 10:57 persistence.conf drwxr-xr-x 13 root root 4096 Aug 11 11:10 root drwxrwxrwt 7 root root 4096 Aug 11 11:17 tmp drwxr-xr-x 6 root root 4096 Jul 23 12:30 var -r--r--r-- 4 root root 0 Aug 11 11:04 .wh..wh.aufs drwx------ 2 root root 4096 Aug 11 11:04 .wh..wh.orph drwx------ 2 root root 4096 Aug 11 11:04 .wh..wh.plnk
Install Kismet from sources
wget https://www.kismetwireless.net/code/kismet-2013-03-R1b.tar.xz tar xf kismet-2013-03-R1b.tar.xz cd kismet-2013-03-R1b* ./configure #check required software, libraries, and system environment sudo apt-get install ncurses-dev libnl-dev #dependencies to install: libcurses or libncurses, libnl netlink library to control mac80211 vaps make dep make #compiling it can take ~5 min sudo make install kismet -v #version check
Configure and run
Kismet is installed by default in Kali linux. A few information to consider:
- virtual interface is created for monitoring to minimise WLAN interface reconfiguration in a system. The virtual interface name is created by appending mon to the existing interface name. We can verify this with iw dev.
- it may also reconfigure your main interface into Monitor mode, check with iwconfig.
- it is client-server application by default listening on :2501 port
- when adding source use your mon interface, eg:
- requires root privilages to run
- Run with -c <wlan_in_monitor_mode>
sudo kismet -c wlan0mon
- Run server
Kismet > Start Server ... > enter source monitoring interface if not specified at the run eg: wlan0 or wlan0mon
- You may need to reset your network configuration after exiting from Kismet
sudo /etc/init.d/networking restart sudo services networking restart sudo dhclient wlan0 #renew ip address from DHCP server
wavemon is an ncurses-based monitoring application for wireless network devices. Home page http://www.erg.abdn.ac.uk/wavemon/
- to measure the link quality we need to be connected to the network first
- different options are displayed at the bottom of a screen controled by function keys or the first letter of the option
F1info F2lhist F3scan F4 F5 F6 F7prefs F8help F9about F10quit
- Install and run wavemon -i <interface>
aptget install wavemon wavemon -i wlan0
Create virtual monitoring interface. It will re configure also your main wireless interface into Monitor mode. Please isse
iwconfig to chec it.
# airmon-ng start mon0 Interface Chipset Driver mon0 Intel 6205 iwlwifi - [phy0] (monitor mode enabled on mon3) mon1 Intel 6205 iwlwifi - [phy0] mon2 Intel 6205 iwlwifi - [phy0] wlan0 Intel 6205 iwlwifi - [phy0]
Then start capturing packets
See link quality continuously on the screen
$ watch -n 1 cat /proc/net/wireless Inter-| sta-| Quality | Discarded packets | Missed | WE face | tus | link level noise | nwid crypt frag retry misc | beacon | 22 wlp4s0: 0000 47. -63. -256 0 0 0 0 4 0 printf "$(cat /proc/net/wireless) $(date)\n" | tee -a 20190815-proc-net-wireless.log; \ while true; do printf "$(cat /proc/net/wireless|tail -1) $(date)\n" | tee -a 20190815-proc-net-wireless.log; sleep 1; done
$ ls -1 /sys/module/mac80211/parameters beacon_loss_count ieee80211_default_rc_algo max_nullfunc_tries max_probe_tries minstrel_vht_only probe_wait_ms $ cat beacon_loss_count probe_wait_ms 7 # once reached wifi card will disassociate with AP and try to associate again 500 # once reached wifi card will disassociate with AP and try to associate again You can try to lower number of beacon losses to get disconnected from actual AP and try to switch to another by your WiFi card, edit /etc/modprobe.d/wifi-sensitivity.conf and add those lines: <code>module options mac80211 beacon_loss_count=1 max_probe_tries=1</code> Reboot, and check if it makes your WiFi more sensitive to AP signal changes. If not, try add another parameter to the line above: probe_wait_ms=100. On really poor signal these setting may give you no WiFi connection at all, don't panic, just set those limit a little higher, you can use two strategies, keep probe_wait_ms higher (default is 500 but you can go higher) and keep other two options low or the opposite, the two other options higher and probe_wait_ms lower than default 500. All those setting "live" without reboots in /sys/module/mac80211/parameters/... directory, for example: <code>echo 1 > /sys/module/mac80211/parameters/beacon_loss_count</code>
Debug Wifi traffic
Useful script, produces wireless-info.txt log file.
wget -N -t 5 -T 10 https://github.com/UbuntuForums/wireless-info/raw/master/wireless-info && chmod +x wireless-info && ./wireless-info # then you can send to termbin.com cat wireless-info.txt | nc termbin.com 9999
Another script that actually set up you with the strongest signal cell
$ rfkill list all 0: tpacpi_bluetooth_sw: Bluetooth Soft blocked: yes Hard blocked: no 1: phy0: Wireless LAN Soft blocked: no Hard blocked: no
$ iwlist wlp4s0 scan # scan for available access points wlp4s0 Scan completed : Cell 01 - Address: 94:0B:19:EF:11:22 Channel:100 Frequency:5.5 GHz (Channel 100) Quality=40/70 Signal level=-70 dBm Encryption key:on ESSID:"bt-hub1234" Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s 36 Mb/s; 48 Mb/s; 54 Mb/s Mode:Master Extra:tsf=00000000ca95be46 Extra: Last beacon: 142228ms ago ... IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : TKIP Pairwise Ciphers (2) : CCMP TKIP Authentication Suites (1) : PSK ... IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (2) : CCMP TKIP Authentication Suites (1) : PSK IE: Unknown: DD180050F2020101800003A4000027A4000042435E0062322F00 $ sudo iw dev wlp4s0 scan | grep -A 9 BSS | grep -B 9 <wifiName> # get a list of APs with signal strengh $ sudo iw dev wlp4s0 scan # scan for available access points $ sudo iw dev wlp4s0 link # show current ap-association Connected to 94:0b:19:ef:11:22 (on wlp4s0) SSID: bt-hub1234 freq: 5500 RX: 50957 bytes (323 packets) TX: 39580 bytes (286 packets) signal: -65 dBm tx bitrate: 780.0 MBit/s VHT-MCS 8 80MHz short GI VHT-NSS 2 bss flags: short-slot-time dtim period: 3 beacon int: 100