Hi so my laptop has a crap card with no monitoring mode but i have some very nifty mikrotiks is there anyway i can use the wirless on those in monitoring mode and the capture through the Ethernet interface i think it should work if i try and create a SPAN port on them and then use wireless sniffer on the wireless cards and plug into the SPAN (ether side) and see all the traffic at least that is my theory will this work? if there is another way please let me know asked 02 Nov '16, 07:45  Reynhard Wouda |
One Answer:
Mikrotik has its own flavour of remote capturing, which consists in prefixing each captured frame with a TZSP header and encapsulation of the result into a UDP packet. So unlike with port mirroring at L2, you can route the encapsulated captured frames over L3 network. Details are here, you can do the same using Webfig, yet I don't have access to any Mikrotik right now to give you a screenshot. If you take the advantage of routing the captured packets, think of not routing them via the interface on which you capture, and think of the bandwidth along the path between the Mikrotik and the machine where you run Wireshark - it's UDP so a dropped packet is lost forever. In general, captured wireless frames cannot be monitored on Ethernet port without modification because the frame header is different and because some important bits of information (RSSI, channel...) are not part of the frame. That's why radiotap, TZSP and other encapsulation headers are used. answered 02 Nov '16, 08:48  sindy edited 03 Nov '16, 01:22 |
