Ethereal-users: RE: [Ethereal-users] reading 802.11b data

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Joshua Wright" <Joshua.Wright@xxxxxxx>
Date: Fri, 8 Nov 2002 08:01:00 -0500
> From: darren [mailto:teodarren@xxxxxxxxxxxxx]
> 
> I am not sure what you mean by "not able to read the data 
> collected..."

I think he meant he did not see the traffic he generated, but was able to see other traffic on the network.  Assuming that...

> I recently installed Kismet and ethereal on my laptop and wanted to test it 
> out on my new wireless network (not currently using WEP but I will

Make sure you are opening the Kismet-XXX.dump file, and not Kismet-XXX.weak.  The .dump file will contain whatever data Kismet captures (as constrained by the kismet.conf settings) where the .weak file will only contain "interesting" traffic that has weak IV values, for later feeding into AirSnort or another WEP-cracking tool.  You indicated you are not running WEP (not a wise decision, IMHO - Lance Spitzner will tell you it takes about 15 minutes for a new RedHat machine to get rooted, how long will it take your network?), but you may be picking up traffic from another nearby network.

> ethereal. To my surprise I was not able to read the data I collected from my 
> experiment (data being, web sites, emails written, etc.), but I was able
> to view all of the frames header information. I tried viewing the data
> using the "Follow TCP Stream" which didn't work. I would greatly appreciate 
> anyone's help in the matter.

Depending on what type of wireless card you are using, Kismet will use channel hopping to gather information on channels 1-11 or higher if you specify (and have a card that will support 12, 13 and/or 14).  Some older Cisco cards also had a tendency to "lock in" on a specific channel that it senses has the most signal strength.  Your WLAN traffic may not have been on the channel you were listening on.  I would try this test:

# tethereal -i eth1 -x ip

Assuming eth1 is your wireless interface and you are using IP, you should see some traffic on your network.

You don't *need* Kismet to capture WLAN traffic for your analysis in Ethereal - tethereal or tcpdump will do fine.  Kismet makes it easy for you to use RFMON monitoring with kismet_monitor and kismet_hopper, but if you are just interested in proving to yourself that other people can capture your e-mail, this test should be adequate.

-Joshua Wright
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright@xxxxxxx 
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73