This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Need advice on using Wireshark + aircrack-ng

0

Hi! I am making acquiantance with wireless security and attacks and was told to run some tests with aircrack-ng and wireshark.

So I installed both of them and ran airmon to switch wi-fi adapter to monitor mode: sudo airmon-ng start ra0 (this is my dwa-140 usb wi-fi)

The wi-fi adapter seems to have restarted after that. Guess that's ok.

After that I ran wireshark as a superuser, chose the ra0 adapter and tried to sniff the test open network. I have my PC connected to it (via dwa-140) and an HTC phone as well as some other stranger PCs. Wireshark runs on my PC.

The problem is that when I login to %site.com% with a PC browser, I can see the cookies sent to it over http in Wireshark. But when I do the same thing with an Opera browser on my HTC, there is nothing detected. I know that other PCs are also sending data to the site, but I can't see anything from them as well.

I'd like to know what I'm doing wrong. Will be thankful for any advice.

P.S. This runs on Ubuntu 12.04.1

UPD: here is the output I get when startin ra0

[email protected]:~$ sudo airmon-ng start ra0
[sudo] password for svz:

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!


PID Name
887 avahi-daemon
889 avahi-daemon
1621    wpa_supplicant
19718   NetworkManager
20488   dhclient
Process with PID 20488 (dhclient) is running on interface ra0


Interface   Chipset     Driver


ra0     Ralink 2560 PCI rt2500 (monitor mode enabled)

asked 07 Oct ‘12, 11:14

svz's gravatar image

svz
1113
accept rate: 0%

edited 08 Oct ‘12, 10:25

What does the sudo airmon-ng start ra0 command print when you run it? (Show all the output.)

(07 Oct ‘12, 16:42) Guy Harris ♦♦

Sorry, don’t have my PC nearby now. Will update the post in like 10 hours with full info. Actually airmon says that there is a number of processes that might iterfere with it like network manager, dhclient and a few more. I tried to stop them, but they seem to restart all the time. Actually, I do get some packets from other PCs, but not the ones I need. And I know that there should be some.

(08 Oct ‘12, 00:12) svz

Updated the post with airmon-ng output

(08 Oct ‘12, 10:25) svz

2 Answers:

1

After that I ran wireshark as a superuser, chose the ra0 adapter and tried to sniff the test open network.

You should capture on mon0 instead of ra0! 'airmon-ng start ra0' will create that "monitoring" interface (mon0), if your ra0 adapter supports that!

Regards
Kurt

answered 08 Oct '12, 11:37

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Umm.. I don't see a mon0 iterface here. How can I figure out if my ra0 is capable of doing such a thing? Airmon states that monitor mode was enabled. Does this make any sense if there is no mon0?

(08 Oct '12, 11:49) svz

If airmon-ng had created a monitoring interface, rather than just putting ra0 into monitor mode, I think it would have printed a message indicating that. For interfaces with mac80211 drivers, it'll create a monitoring interface (VIF), but for non-mac80211 drivers I'm not sure it can do that.

I'd expect a mac80211 driver to call the interface wlan0, not ra0.

In addition, I've found that, if a mon0 interface is created, the "regular" interface isn't put into monitor mode, so the daemons listed don't "helpfully" turn monitor mode off, otherwise it does get turned off.

(08 Oct '12, 11:53) Guy Harris ♦♦

1

At least according to the WifiDocs/Device/DWA-140 page in the Ubuntu Community Help Wiki, the default driver for that adapter is the rt2800usb driver. The "Successful use" section of that page seems to suggest a mac80211 driver, as the output of the iwconfig command includes a wlan0 device.

The Linux Wireless page for the rt2800usb driver says:

After working with the IPW ieee80211 stack which was merged into the kernel, the rt2x00 team decided to move over to the newer Devicescape ieee80211 stack. This stack provided much better support for non-firmware wireless devices, and offered features the IPW stack never did. The last release with the IPW ieee80211 stack was rt2x00 Beta3, after that rt2x00 was redesigned to use the Devicescape 80211 stack, which has been renamed to mac80211.

The mac80211-stack was included in to the kernel 2.6.22 and on January 24th 2008, Linux Kernel 2.6.24 was released, and it was the first mainline kernel that included the rt2x00 driver.

which further suggests it's using the mac80211 stack.

The WifiDocs/Driver/RalinkRT2500 page in the Ubuntu Community Help Wiki speaks of much older Ubuntu releases using a "rt2500" driver, which provides interfaces named raN, e.g. ra0.

This page on the Ubuntu forums says

I've found instructions for downloading and installing the RaLink driver http://ubuntuforums.org/showthread.php?t=1592731&page=2 and have done so. The modified driver module loads but 'iwconfig' lists the interface as 'ra0' instead of 'wlan0'. So named, network-manager and network-manager-applet ignore it.

which suggests that you may be using that driver rather than the standard driver; following that link goes to a page that speaks of that driver as coming from Ralink. Perhaps Ralink's driver doesn't support mac80211.

As per my comment on another answer, NetworkManager, from some stuff I've done while debugging some issues caused by some Linux distributions not building recent versions of libpcap with libnl, so that they don't use the mac80211 mechanisms to go into monitor mode, so that instead of creating a mon0 interface separate from the wlan0 interface, they fall back on the old mechanism and put wlan0 itself into monitor mode, NetworkManager "helpfully" responds to this "problem" by turning monitor mode back off on wlan0. If you're using the Ralink driver, and it doesn't support mac80211 (as, given the ra0 name for the interface, I suspect it doesn't), then airmon-ng may be turning monitor mode on for ra0 and NetworkManager may be "helpfully" turning it back off again.

(Dear 802.11 hardware vendors: mac80211 is your friend. If you must provide your own drivers for your adapters, embrace it.)

answered 08 Oct '12, 12:46

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thank you for your response. I'll try to use the rt2800 driver instead and disable the Network Manager and report back. As I just discovered this thing is Rev.B3 and uses an RT5392 chipset, so rt2800 driver won't do.

(08 Oct '12, 13:24) svz

If whatever driver you use creates a wlan0 interface, it may not be necessary to disable NetworkManager - it might mean it's a mac80211 driver, in which case it won't put wlan0 into monitor mode, it'll create a monitor-mode mon0 adapter.

(08 Oct '12, 13:41) Guy Harris ♦♦

There is no wlan0 interface with my current driver. After stopping newtwork manager with stop network-manager my problem is that nothing happens after I start airmon-ng. It just outputs an empty line instead of ra0 Ralink 2560 PCI rt2500 (monitor mode enabled) and there is no network connection as well.

(08 Oct '12, 14:01) svz