22. Nov 2014 06:11
No comments

How to sniff WiFi data

Sniff phone over WiFi
Sniff phone over WiFi

There are some usecases and legitimate reasons to sniff the data of Android and iPhone devices. Sniffing means you capture all the data that is being transferred over a network and analyse it. You can record others VoIP calls on the network or just scan and read what data apps transfer over the network and silently read them. The same is true for any websites that are being opened by anyone on the wi-fi network your sniffing. There are some legal consequences in sniffing data on a network and you should make yourself comfortable with them before you start sniffing anything. I have dumped data my Android phone transferred to the rail operator Deutsche Bahn through their DBNavigator app. In this article I will describe how to sniff WiFi data from mobiles or smartphones and other devices.

How to wiretap, sniff or record WiFi network data

To read all data traffic that is going through the WiFi network or even a wired network you need a node within the network that can read the data. In wireless networks following the 802.11 standard the data is transferred through the air so that everybody has access to it. In a wired network such as Ethernet it is a bit more complicated since a router or switch is used to route the data between the different stations in the network and that data is not transferred through every interface, but only through those form the origin and the destination. If you want to capture or sniff the data you need to sniff it on the router itself. The following applications can be used to sniff data on networks. These exist for Unix, Linux, BSD as well as Mac OSX and Windows. The use of Linux, Unix or BSD is recommend since those are the ultimate network operating systems.

Capture WiFi data with tcpdump

You first install the application "tcpdump" on the router if you want to capture the data on there. This works for example with custom firmware such as OpenWrt but also with many FritzBox routers. In my case I am using the TP-Link WR1043ND with OpenWrt. Alternatively you can also use any device in the network if the router is configured to forward all data to this port (called "Promiscuous Mode"). For that purpose and for long-term capture the Raspberry Pi is a useful device or maybe a Linux NAS for recording larger amounts of data. Generally you should remember that with the capture of network data large amounts of data may be created. In my case I started "tcpdump" on my OpenWrt router with the following command.

Let's look at the command a bit more in detail. Tcpdump is instructed to read on the interface "br-lan" which is the network interface through which all data or network traffic on the router flows through. This means external data from the WAN as well as the data from LAN and WiFi. The the parameter "w" we instruct it to store all data in the Pcap-format within the file "/tmp/razrdbnav.pcap". You need to be careful with it as this file may get very large if for example a download of a 2 GB file is running. All the data will we stored in the file defined and the router may run out of memory quickly and just stop operation. This is why afterwards I've put the filter "ether host [MAC]" which defines that only the data from the given MAC address is being captured. You could also define an IP address, but then you would only have the IP data and not the ARP or potential IPv6 data.

Capture and analysis with Wireshark

The application "Wireshark" allows to analyse and evaluate the data which the router recorded with tcpdump. Wireshark provides a graphical user interface, but can also capture data itself. In this case I use "File > Open" and open the Pcap-file which I created on the router with tcpdump before. Afterwards Wireshark shows all the recorded traffic.

The network scanner Wireshark

Basically Wireshark shows every single data packet with exact details such as source address, destination address and others. There is really every piece of every data packet that went through the network. With opening a website the network protocol TCP or "Transport Control Protocol" is being used and it relies on many IP packets being send which need to be put back into order to read the full TCP data stream. Luckily Wireshark can do this for us. If you see a packet that contains a part of a TCP stream then you can right-click "Follow TCP Stream" and Wireshark will show you the complete stream at once.  The data of web sites, e-mails, chat protocols and others that are not encrypted can be read on the screen immediately.

Capturing video streams and VoIP phone calls

Data recordings of larger data streams such as HD video streams, Voice over IP phone calls or image up- and downloads do exist in the Pcap-file, but cannot be identified as such by Wireshark. In that case you can use the "Save as" function within the "Follow TCP Stream" window to save the TCP data separately on your hard drive. You should not forget that there is still header data in the raw data.  With video streams it's recommend to only select the data that was sent by the server which can be done in the Dropdown below "Stream Content". If you now remove the header data you have the raw data the server trasmitted. With a media player such as MPlayer you can now play the data stream.

Summary for network analysis

Wureshark, Tcpdump and the Pcap-library are often falsely denigrated as "hacker tools". This goes back to many people thinking the only purpose of this tool is to monitor other people or read data you're not supposed to read. People forget that tools like Wireshark are built for network analysis and monitoring to identify network errors, failures and problems. The possibilities of Wireshark, Pcap and tcpdump are endless. This is why every network professional uses them as their everyday tools. Regardless of whether it's reverse engineering, analysis of network issues or simply evaluation of potential security leaks within a network. If you are interested in the topic I highly recommend the books about that exist out there.

Books about the topic „Wireshark“

The following books are all about the topic "Wireshark" and are highly recommended. I have not read all of these books, but a good number of them and some of them I used for my research as well.
Order now »
Wireshark 101: Essential Skills for Network Analysis - Second Edition: Wireshark Solution Series
Laura Chappell, Laura Chappell University
Order now »
Troubleshooting with Wireshark: Locate the Source of Performance Problems
Laura Chappell, Laura Chappell University
Order now »
Practical Packet Analysis, 3e
Chris Sanders, No Starch Press
Order now »
Rtfm: Red Team Field Manual
Ben Clark, CreateSpace Independent Publishing Platform

Comments about the topic „How to sniff WiFi data“

If you like you can leave a comment about the topic and exchange with other reads. In order to comment you need to login and then you can start immediately.
Login now to comment