【无标题】

最新推荐文章于 2023-06-30 22:11:40 发布

weixin_47861989

最新推荐文章于 2023-06-30 22:11:40 发布

阅读量234

点赞数

文章标签： 5G

本文链接：https://blog.csdn.net/weixin_47861989/article/details/128947644

版权

一、无线抓包概述#

如果你只想抓主机与主机之间传输的数据，而无需关心射频层的信息（比如信道、信号强度、传输速率、管理帧等等），那就简单了。普通方式的抓包都能抓到以太网格式的数据帧，因为网卡适配器和网卡驱动在收到无线数据帧时，会转换成以太网数据帧再传给操作系统的协议栈进行处理。

以太网和无线网的数据链路层头部如何转换的，参见《802.11无线网络权威指南》P75。

但是如果需要获取802.11帧头部信息，就会比较复杂了。首先802.11无线网卡可以工作在三种模式下。

Normal

Normal模式下的无线网络接口完全为收发数据的工作状态，不做任何监测。

Monitor

Monitor模式下的无线网络接口不能收发数据，只能监听用。

Hybrid

Hybrid模式即为混合模式，即可监听也可收发数据，为normal与monitor的分时组合模式。

如果需要抓取环境中任意主机的带802.11头部信息的原始数据帧，首先要求抓包使用的无线网卡工作在monitor模式下。而如果工作在非monitor模式则只能抓取抓包网卡所通信的数据帧。不幸的是，是否支持monitor模式的无线网卡依不同厂商和驱动支持而不同。更不幸的是，我们熟悉的抓包利器——wireshark在Windows平台依赖于Winpcap库，而Winpcap库却不支持无线网卡工作在monitor模式。

Winpcap官网邮件列表给的说明 http://www.winpcap.org/pipermail/winpcap-users/2009-March/003109.html

At the moment there are no current plans to support native WiFi in WinPcap, although I've definitely been 
thinking about it. The main problem in supporting it is that it's not trivial, it basically requires to
 rewrite all the kernel module of WinPcap in order to be an NDIS6 filter driver (and as consequence,
  a lot of the installation code). I've actually experimented with it and read some documentation, with 
  this output:

not all the wireless cards support the native wifi monitor mode. vista supports both the “legacy”
wireless drivers (i.e. the ones that also work on 2000/XP) as well as native WiFi drivers. Only the
latter ones can support monitor mode.
even when they support monitor mode, I’ve seen native wifi drivers that do not provide the original
wireless frames. If you are only interested in the L3 information, that’s ok. But if you are interested
in the strictly wireless related information (e.g. 802.11 control/management frames), that could be a
problem. For example, I’ve seen 802.11n native WiFi drivers that strip all the 802.11N related information
from the frames.
transmitting on adapters in monitor mode should be possible, but not documented (and probably not
supported by MS).

Hope this clarifies the situation.

Have a nice day
GV

----- Original Message -----
From: Joshua (Shiwei) Zhao
To: winpcap-users at winpcap.org
Sent: Monday, March 30, 2009 11:31 AM
Subject: [Winpcap-users] Vista monitor mode support for 802.11

Hi,
I’m wondering whether winpcap plans to or already support the native WiFi monitor mode on Vista.
If so what’s the status, and if not what’s the difficulty there?

Many thanks,
Joshua

Wireshark官网给的解释http://wiki.wireshark.org/CaptureSetup/WLAN#Windows

Capturing WLAN traffic on Windows depends on WinPcap and on the underlying network adapters and drivers.
 Unfortunately, most drivers/adapters support neither monitor mode, nor seeing 802.11 headers when capturing,
nor capturing non-data frames.

但是在Windows平台仍然可以通过第三方驱动和某些合适的无线网卡来支持抓取802.11帧的数据包——OmniPeek。后续章节有详细说明。

二、Linux平台无线抓包#

1.检查网卡或驱动是否支持#

Linux平台的抓包要支持的好很多，tcpdump、wireshak、dumpcap、tshark等，只要网卡和驱动能支持monitor模式都可以抓包，如何检查所使用的无线网卡是否支持抓取802.11帧呢？
在使用wireshark1.4或更新的版(使用libpcap1.0或更新的库),可以使用以下命令检查哪些链路层头部被当前接口在monitor模式所支持

dumpcap -i interface -I -L
tshark -i interface -I -L
wireshark -i interface -I -L

输出 IEEE802_11_RADIO (802.11 plus radiotap header) 即表示在monitor模式下支持802.11头部帧

root@yxh-pfm-4:~# dumpcap -i wlan0 -I -L
Capturing on wlan0
Data link types of interface wlan0 when in monitor mode (use option -y to set):
  IEEE802_11_RADIO (802.11 plus radiotap header)

忽略-I 参数，即检查在非monitor模式下支持类型

root@yxh-pfm-4:~# dumpcap -i wlan0 -L
Capturing on wlan0
Data link types of interface wlan0 when not in monitor mode (use option -y to set):
  IEEE802_11_RADIO (802.11 plus radiotap header)