0

OBJECTIVE

Essentially, my goal is to emulate something like airodump-ng wlan0

Here is a link just in case ... airodump-ng

  • Collects raw 802.11 frames
  • Displays nearby access points and data

GAMEPLAN / OBSERVATIONS

I did a quick airodump to see if my results would be close to the same. I see that airodump is hopping channels !!!!, collecting beacons, and displaying the nearby aps.

I want to see what I can pick up using Scapy and sniff() without hopping channels.

So, I close airodump and fix my wireless card to channel 1 with iwconfig wlan0 channel 1.

Then, I use Scapy to sniff() beacon frames subtype=8 from APs within range of my wireless card.

However, I compare my results to what I got from airodump and I see that I've got a bunch of beacons from APs on all different channels. I was expecting to only see beacons from channel 1.

QUESTION

Is this a glitch? Is there some sort of benefit that airodump gets from hopping channels or is it unnecessary to be on a specific channel to collect beacon frames from all channels?

Or does sniff have channel hopping built in?

ma77c
  • 325
  • 1
  • 5
  • 14

2 Answers2

1

You can only listen to signals on the correct frequency band (channel). This is why tools that attempt to give a full listing will necessarily browse through all the channels.

Julie Pelletier
  • 1,919
  • 10
  • 18
  • This is what I thought. Then how am I picking up beacons from different channels? I also tested with wireshark on channel 2. With that, I picked up beacons from aps that I knew were on channel 1 but the headers of the frame said channel 2 ... – ma77c Jul 22 '16 at 23:36
  • `airodump` obviously scans the different channels regardless of what channel you previously set on the adapter. As for the beacons you're picking up which indicate being on channel 2 are really on channel 2 and you were simply mislead for some reason. – Julie Pelletier Jul 22 '16 at 23:39
  • I am saying that I used airodump to see what the true channel of the AP was. Then I used wireshark to scan for beacon frames on channel 2. I picked up beacons from the ap that I knew was on channel 1, but the header for the frame stated channel 2. Also, using sniff with scapy I picked up the same beacon from the ap on channel 1 while my wireless card was on channel 2. – ma77c Jul 22 '16 at 23:44
  • Is it possible that you're seeing two different APs or an AP which supports two channels (possibly through channel bonding)? – Julie Pelletier Jul 22 '16 at 23:57
  • By "supports two channels" you mean 2.4Ghz and 5Ghz? Would that enable an access point to be on channel 1 and 6 or channel 6 and 11 at the same time? – ma77c Jul 23 '16 at 00:08
  • That's not what I meant and the reason I mentioned the possibility of channel bonding. – Julie Pelletier Jul 23 '16 at 00:12
  • Based on what I've read about channel bonding. This is entirely possible. Could the results that I am experiencing also be due to 'channel overlapping'? Since there are only 3 distinct channels 1, 6, 11 could it be that my being on channel 2 could pick up beacons from channel 1? – ma77c Jul 23 '16 at 00:18
  • 1
    No. Channel overlapping only causes interference on the neighboring channels, not a recognizable message. – Julie Pelletier Jul 23 '16 at 01:02
1

What really happens is that to modulate and demodulate the signal your WIFI card antenna needs to operate on a frequency called central-frequency, which belongs to a certain channel which is being transmitted by the AP. Your card antenna can only demodulate the 802.11 frames that hit your card on a carrier frequency(of the channel) which should match the frequency at which your wifi NIC is operating.

So in order to sniff all beacon frames, you need to be on all the frequency channels simultaneously to catch them, which is (obviously)not possible with single hardware antenna so you have to opt for frequency hopping like all other tools like airodump-ng.

They do this by creating a virtual interface for wifi and putting it into monitor mode, where it can sniff packets.

Xander
  • 35,525
  • 27
  • 113
  • 141
Arjun sharma
  • 660
  • 3
  • 20