无线抓包进程

[caiwang]

Issue by unissoft-bj Tuesday Feb 17, 2015 at 23:07 GMT Originally opened as https://github.com/caiwang/ihostsrc/issues/31

---

概述

1，启动 /usr/bin/wlcap 抓包

root@ihost:~# ls /usr/bin/wlcap -l -rwxr-xr-x 1 root root 239172 Nov 20 16:56 /usr/bin/wlcap

2，wlcap抓到的包，写入的named pipe中，一个packet一行

/bin/sh -c wlcap -l -i mon.wlan0 -f "subtype assoc-resp or subtype reassoc-resp or subtype probe-req or subtype disassoc" -T fields -E separator=, -E quote=d -e frame.time -e frame.protocols -e radiotap.dbm_antsignal -e ppi.80211-common.dbm.antsignal -e wlan.fc.type_subtype -e wlan.da -e wlan.sa -e wlan.bssid -e wlan_mgt.ssid > /home/pktpipe

3，python代码从named pipe中读取抓到的包，一次读一行；处理后写入到数据库表中。由于无线数据包非常密集，因此建立一个list，记录每个mac的上次写入数据库的时间（ignore list），ignore list中的包直接丢弃，不进入数据库；定期更新ignore list

[caiwang]

Comment by unissoft-bj Tuesday Feb 17, 2015 at 23:10 GMT

---

实例

wlcap -l -i mon.wlan0 -f "subtype assoc-resp or subtype reassoc-resp or subtype probe-req or subtype disassoc" -T fields -E separator=, -E quote=d -e frame.time -e frame.protocols -e radiotap.dbm_antsignal -e ppi.80211-common.dbm.antsignal -e wlan.fc.type_subtype -e wlan.da -e wlan.sa -e wlan.bssid -e wlan_mgt.ssid

"Feb 18, 2015 07:03:23.815041000","radiotap:wlan","-89",,"0x04","ff:ff:ff:ff:ff:ff","8c:be:be:f3:d7:2f","ff:ff:ff:ff:ff:ff","FTYX" "Feb 18, 2015 07:03:23.876057000","radiotap:wlan","-87",,"0x04","ff:ff:ff:ff:ff:ff","8c:be:be:f3:d7:2f","ff:ff:ff:ff:ff:ff","Tenda_F1CEA8" "Feb 18, 2015 07:03:32.809446000","radiotap:wlan","-57",,"0x04","ff:ff:ff:ff:ff:ff","00:73:e0:67:42:e2","ff:ff:ff:ff:ff:ff","OFfice" "Feb 18, 2015 07:03:32.811594000","radiotap:wlan","-57",,"0x04","ff:ff:ff:ff:ff:ff","00:73:e0:67:42:e2","ff:ff:ff:ff:ff:ff", "Feb 18, 2015 07:03:34.065897000","radiotap:wlan","-63",,"0x04","ff:ff:ff:ff:ff:ff","00:73:e0:67:42:e2","ff:ff:ff:ff:ff:ff","OFfice" "Feb 18, 2015 07:03:34.126605000","radiotap:wlan","-71",,"0x04","ff:ff:ff:ff:ff:ff","00:73:e0:67:42:e2","ff:ff:ff:ff:ff:ff","OFfice" "Feb 18, 2015 07:03:34.141235000","radiotap:wlan","-69",,"0x04","ff:ff:ff:ff:ff:ff","00:73:e0:67:42:e2","ff:ff:ff:ff:ff:ff", "Feb 18, 2015 07:03:54.093629000","radiotap:wlan","-59",,"0x04","ff:ff:ff:ff:ff:ff","00:73:e0:67:42:e2","ff:ff:ff:ff:ff:ff", "Feb 18, 2015 07:03:54.929483000","radiotap:wlan","-65",,"0x04","7c:dd:90:21:7e:b1","00:73:e0:67:42:e2","7c:dd:90:21:7e:b1","ihost" "Feb 18, 2015 07:03:54.937008000","radiotap:wlan",,,"0x01","00:73:e0:67:42:e2","7c:dd:90:21:7e:b1","7c:dd:90:21:7e:b1", "Feb 18, 2015 07:03:54.939910000","radiotap:wlan",,,"0x01","00:73:e0:67:42:e2","7c:dd:90:21:7e:b1","7c:dd:90:21:7e:b1", "Feb 18, 2015 07:03:57.119708000","radiotap:wlan","-63",,"0x04","ff:ff:ff:ff:ff:ff","00:73:e0:67:42:e2","ff:ff:ff:ff:ff:ff","ihost"

[caiwang]

Comment by unissoft-bj Tuesday Feb 17, 2015 at 23:21 GMT

---

配置参数

iftype : 抓包interface类型，local-ihost本地interface remote-Ruckus rpcap远程接口 host : 如果iftype=remote，此参数为ruckus ap的ip地址 ifname : interface name，local对应mon.wlan0/mon0，remote对应wlan100 pktpiep : 抓包结果写入的pipe

与ruckus ap配套远程抓包的应用，目前一个ihost只对一个ruckus ap。新版本应考虑一个ihost对多个ruckus ap的情况，开多个wlcap抓包进程，每个进程对一个ruckus ap，结果写入到（多个）pktpipe

[caiwang]

Comment by unissoft-bj Tuesday Feb 17, 2015 at 23:54 GMT

---

wdog.py

https://github.com/unissoft-bj/ihost/blob/master/wlcap/wdog.py

抓包进程的状态

[caiwang]

Comment by unissoft-bj Wednesday Feb 18, 2015 at 00:01 GMT

---

wdog.py每5分钟运行一次

/5 * * * \ sudo python /root/wdog.py &

时间太短的话，有可能出现多个重复的进程 ihost重启后，大概要5分钟才能抓到包

新版功能增强： 1，远程抓包时，可启动多个wlcap进程，每个进程对应到一个ruckus ap 2，传递pktpipe参数，及状态给后续处理进程 3，如果在给定时间（5 sceonds）内没有抓到包，则重启对应的wlcap进程。重启进程对pipe的影响？读pipe的进程是否要重启（读pipe进程重启会出现broken pipe，写pipe进程重启好像不影响） 4，每个wlcap进程可以独立turn on，turn off

另外network visit recorder进程 ndog.py与wdog.py过程差不多，是否可以合并 config.xml -- configact.xml wdog.py -- ndog.py rdpp.py -- nlogger.py 二者抓包的interface不同，写入的数据库表不同，处理过程有区别。但抓包到pipe方式是一致的

[caiwang]

Comment by caiwang Saturday Feb 21, 2015 at 11:09 GMT

---

网址访问记录

[caiwang]

Comment by michaelyin Sunday Feb 22, 2015 at 02:19 GMT

---

1. mon.wlan 0 might only capture data from one channel?
2. mon0 can capture more data?

it seems both mon.wlan0 and mon0 capture data on one channel http://wiki.wireshark.org/CaptureSetup/WLAN#A802.11_Filter_.28Modes.29 However, special measuring network adapters might be available to capture on multiple channels at once. In monitor mode the SSID filter mentioned above is disabled and all packets of all SSID's from the currently selected channel are captured.

https://forums.hak5.org/index.php?/topic/27245-scan-with-airodump-ng/ if you do airpdump-ng mon.wlan0 it is stuck on one channel

实测结果：

用笔记本电脑不断发送probe request 0x04（500ms一次，发送360次，中间停顿1分钟，重复3次）

实际上笔记本电脑的无线网卡，差不多是3~4秒钟能发送一次；实际上发送约150次 A:在channel 10上发送; B:在channel 1上发送 a, mon.wlan0工作在channel 4上; b, mon.wlan0工作在channel 6上

mon.wlan0接收情况（A接收到约150次;B:接收到约145次）

mon0接收情况（A接收到约150次;B:接收到约145次）

结论：

对probe request packet而言，mon0, mon.wlan0接收情况差不多；mon.wlan0的工作channel对抓包影响不大

从抓包pkttime看，mon0抓到的包与mon.wlan0抓到的包，pkttime不同，由此推测probe request packet是全频道发送的，即station会在全部频点发送一次

由此推测目前所抓的802.11 management or control packets（0x00,0x01,0x02,0x03,0x04,0x05），都具有全频道的特性，mon0/mon.wlan0，以及无线网卡的工作频点，对抓包结果没有影响

抓regular network data packet必须对应上频点。目前ihost并不抓取regular network data packet

可以确认probe request是全频道发送，其他类型的packet，response类型的包不确定

https://supportforums.cisco.com/document/101431/80211-sniffer-capture-analysis-management-frames-and-open-auth

[caiwang]

Comment by michaelyin Sunday Feb 22, 2015 at 03:37 GMT

---

1. add a log to log exceptions in the code;
2. increase the reliability in condition that there is exception in the program.

[caiwang]

Comment by michaelyin Sunday Feb 22, 2015 at 03:40 GMT

---

python logging best practice: http://victorlin.me/posts/2012/08/26/good-logging-practice-in-python

[caiwang]

Comment by michaelyin Monday Feb 23, 2015 at 07:11 GMT

---

1. wlpkt is only kept on ihost.
2. wlsta is uploaded to iserver every 10 or seconds based on some rules.
3. authclient and authmac can be removed.