Wireshark extcap interface for remote wireless captures.
Wireshark extcap interface for remote wireless captures using a Linux device.
This extcap interface is basically a wrapper for the sshdump
extcap interface that includes additional options to customize the capture. For example, if capturing Wi-Fi traffic, you can choose the Wi-Fi channel to capture on. It also simplifies the configuration of the extcap interface so that the user doesn’t have to deal with complex remote capture commands, etc.
The wlandump
extcap interface currently provides two capture interfaces: Wi-Fi and Zigbee, each with its own set of options. The wifidump
interface allows you to perform remote Wi-Fi captures on a specific channel and channel width using a Linux device with a Wi-Fi adapter that can be put into monitor mode. The zbdump
interface allows you to perform remote Zigbee captures using Linux device with a TI CC2531 USB dongle.
wlandump
extcap interface requires the sshdump
extcap interface, which is not installed by default on Windows. When installing Wireshark on Windows, select SSHdump as one of the components to install:wlandump
to C:\Program Files\Wireshark\extcap\
wlandump.bat
in the same C:\Program Files\Wireshark\extcap\
directory with the following content:
@echo off
<PATH_TO_PYTHON_INTERPRETER> <PATH_TO_WLANDUMP> %*
Where <PATH_TO_PYTHON_INTERPRETER>
is the path to the Python executable and <PATH_TO_WLANPIDUMP>
is the path to the wlandump
extcap interface script. For example:
@echo off
"C:\Program Files (x86)\Python37-32\python.exe" "C:\Program Files\Wireshark\extcap\wlandump" %*
wlandump
to /Applications/Wireshark.app/Contents/MacOS/extcap/
$ chmod +x /Applications/Wireshark.app/Contents/MacOS/extcap/wlandump
The steps are the same as the ones above for macOS, the only difference is the path to copy wlandump
to. To find the correct path:
Help -> About Wireshark
;Launch Wireshark and verify that the capture interfaces provided by the wlandump
extcap interface are listed:
Note: You will have to reinstall the
wlandump
extcap interface on your computer each time you update Wireshark. The Wireshark installer doesn’t preserve 3rd-party extcap interfaces added to the extcap folder.
The wifidump
capture interface allows you to perform remote Wi-Fi captures on a specific channel and channel width using a Linux device with a Wi-Fi adapter that can be put into monitor mode.
The wifidump
capture interface uses tcpdump
as the remote tool for Wi-Fi captures. Make sure tcpdump
can be run remotely by the SSH user and without the need of root privileges. For example:
$ sudo groupadd pcap
$ sudo usermod -a -G pcap USERNAME
$ sudo chgrp pcap /usr/sbin/tcpdump
$ sudo chmod 750 /usr/sbin/tcpdump
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
where USERNAME
is the SSH user for connecting remotely.
The interface also requires of the ip
, iw
command line utilities to put the Wi-Fi adapter in monitor mode and set the desired channel and channel width. Make sure these two utilities are installed and then create the file /etc/sudoers.d/wifidump
with the following content:
USERNAME ALL = (root) NOPASSWD: /sbin/ip, /usr/sbin/iw
where USERNAME
is, again, the SSH user for connecting remotely. Also, in some systems the location of the ip
and iw
might be different, so you need to adjust the paths accordingly.
Note: All 802.11 channels are listed, however, the Wi-Fi adapter on the remote device may support only a subset of them. If you choose a channel that is not supported by the Wi-Fi adapter or a channel width that doesn’t apply to the selected channel, the capture will fail.
- Go to the Server tab and enter the remote SSH server address, e.g. 192.168.42.1.
Note: The password is not saved, so to avoid having to enter the password each time you start a capture, I would recommend you setup passwordless SSH authentication.
The zbdump
capture interface uses whsniff
as the remote tool for Zigbee captures using the TI CC2531 USB dongle. To install whsniff
in the remote Linux device:
libusb-1.0-0-dev
:
$ sudo apt-get install libusb-1.0-0-dev
$ curl -L https://github.com/homewsn/whsniff/archive/v1.1.tar.gz | tar zx
$ cd whsniff-1.1
$ make
$ sudo make install
Then create the file /etc/sudoers.d/zbdump
with the following content:
USERNAME ALL = (root) NOPASSWD: /usr/local/bin/whsniff, /usr/bin/killall /usr/local/bin/whsniff
where USERNAME
is the SSH user for connecting remotely.
Note: The password is not saved, so to avoid having to enter the password each time you start a capture, I would recommend you setup passwordless SSH authentication.