如何抓取無線網絡資料包

結論：

mac: airport, tcpdump

windows: omnipeek

linux: tcpdump, airmon-ng

以太網裡抓包很簡單，各種軟體一大把，什麼wireshark，ethereal，sniffer pro 一抓一大把。不過如果是無線資料包，就要稍微麻煩一點了。網上找了一堆羅裡吧嗦的文章，繞來繞去的,其實抓無線包一條指令就好了。

windows下因為無線網卡驅動會拒絕進入混雜模式，是以比較蛋疼，一般是用omnipeek去弄，不細說了。

linux和mac就很友善了。隻要用tcpdump就可以，一般系統都自帶了。最後-i選項的參數填想抓的網絡裝置名就行。mac預設的wifi網卡是en0。

<code>tcpdump -ine -i en0</code>

主要就是指定-i參數，進入監控模式。

<code>-i :put the interface in "monitor mode"; this is supported only on ieee 802.11 wi-fi interfaces, and supported only on some operating systems.</code>

進入監控模式之後計算機用于監控的無線網卡就上不了網了，是以可以考慮買個外置無線網卡來抓包，上網抓包兩不誤。

抓了包能幹很多壞事，比如wep網絡抓幾個iv包就可以用aircrack破密碼，wpa網絡抓到一個握手包就能跑字典破無線密碼了。如果在同一個網絡内，還可以看到各種未加密的流量……什麼小黃圖啊，隐私照啊之類的……。

假如我已經知道某個手機的mac位址，那麼隻要

<code>tcpdump -ine -i en0 | grep $mac_address</code>

就過濾出該手機相關的wifi流量。

具體幀的類型詳情參看802.11協定，《802.11無線網絡權威指南》等。

順便解釋以下混雜模式與監控模式的差別：

混雜(promiscuous)模式是指：接收同一個網絡中的所有資料包，無論是不是發給自己的。

監控(monitor)模式是指：接收某個實體信道中所有傳輸着的資料包。

rfmon rfmon is short for radio frequency monitoring mode and is sometimes also described as monitor mode or raw monitoring mode. in this mode an 802.11 wireless card is in listening mode (“sniffer” mode). the wireless card does not have to associate to an access point or ad-hoc network but can passively listen to all traffic on the channel it is monitoring. also, the wireless card does not require the frames to pass crc checks and forwards all frames (corrupted or not with 802.11 headers) to upper level protocols for processing. this can come in handy when troubleshooting protocol issues and bad hardware. rfmon/monitor mode vs. promiscuous mode promiscuous mode in wired and wireless networks instructs a wired or wireless card to process any traffic regardless of the destination mac address. in wireless networks promiscuous mode requires that the wireless card be associated to an access point or ad-hoc network. while in promiscuous mode a wireless card can transmit and receive but will only captures traffic for the network (ssid) to which it is associated. rfmon mode is only possible for wireless cards and does not require the wireless card to be associated to a wireless network. while in monitor mode the wireless card can passively monitor traffic of all networks and devices within listening range (ssids, stations, access points). in most cases the wireless card is not able to transmit and does not follow the typical 802.11 protocol when receiving traffic (i.e. transmit an 802.11 ack for received packet). both modes have to be supported by the driver of the wired or wireless card.

另外在研究抓包工具時，發現了mac下有一個很好用的指令行工具airport，可以用來抓包，以及擺弄macbook的wifi。

位置在

<code>/system/library/privateframeworks/apple80211.framework/versions/current/resources/airport</code>

可以建立一個符号連結友善使用：

<code>sudo ln -s /system/library/privateframeworks/apple80211.framework/versions/current/resources/airport  /usr/sbin/airport</code>

常用的指令有：

顯示目前網絡資訊：<code>airport -i</code>

掃描周圍無線網絡：<code>airport -s</code>

斷開目前無線網絡：<code>airport -z</code>

強制指定無線信道：<code>airport -c=$channel</code>

抓無線包，可以指定信道：

<code>airport en0 sniff [$channel]</code>

抓到的包放在/tmp/airportsniffxxxxx.cap，可以用tcpdump, tshark, wireshark等軟體來讀。

最實用的功能還是掃描周圍無線網絡。