Hi, I have a small WLAN and I am interested in capturing and storing all wireless traffic for later statistical analysis. The analysis will be conducted on 802.11 layer 2 level. It is important to capture ALL wireless traffic going to and from the AP (control and management frames too). Googling and looking at previous questions here I have concluded that one way to go is having a dedicated machine with a wireless card in promiscuous mode somewhere near the AP acting as a monitor node. Having a LAN with 10 wireless clients all doing network intensive operations such as skype, gaming, video streaming makes me doubt on how reliable the results of this approach will be (that's only a speculation) i.e. there will be many lost packets or the monitor node will not be able to save all the traffic etc. Are there any alternatives perhaps more reliable? Thanks in advance. asked 06 Jan '13, 22:42  BadAcidTrip |
One Answer:
well, commercial solutions do provide that functionality, but mostly in a setup with a WLAN controller. If you don't care about the AP, you could use OpenWrt or DD-WRT with one of the cheap WLAN Routers/APs (Netgear, etc.). With *WRT you can ssh to the router/ap and capture traffic on the internal wlan interface.
yes, that may happen, as the air is a shared medium for all APs, frequencies, channels, etc. So, there is no real reliable method of capturing traffic in a wlan environment. Placing the capturing machine at x,y,z in space may work well. Placing it at x + 3 inch,y,z may not work at all, due to some interference. The best you can do:
But again: what is your problem? Why do you want to reliably capture everything? Do you think there is packet loss in your wlan network? answered 07 Jan '13, 15:09  Kurt Knochner ♦ edited 07 Jan '13, 15:11 |
for doing what? Capturing the whole wlan/wifi traffic, without missing packets?
Hm... what is your problem? Maybe there is another way to approach that problem.
Well, ideally I would like to store what the AP "reads and writes" which is all the wifi frames the AP receives and sends. I was hoping that special APs exist for maybe forwarding all their traffic to a port or something like special "managed switches"... you get the idea...
I noticed that what the monitor node sniffs is a superset of what the AP sees (because of the traffic of other AP's in different channels etc.).
So my fear is that in a very populated neighborhood the traffic will be so much that nothing will be able keep up with so many disk writes (maybe wireshark will crash first).