there is no place like ~

Network Traffic Sniffing with Tshark

The program Wireshark is a popular application to sniff and analyse network traffic. A less widely know program is Tshark, which is part of the Wireshark distribution. It can sniff network packets, post-process them and output the results in text format. The last feature in particular makes this tool very useful in analysing big sniffer traces or to use it in scripting.

Configuring a network interface in sniffing mode

A network interface needs to be put into monitor mode for sniffing. This is done with the iwconfig or the iw command. Note the interface needs to be down in order to be put into monitor mode.

To configure a WiFi interface for sniffing, use the following (traditional) commands:

ifconfig wlan0 down
iwconfig wlan0 mode monitor
iwconfig wlan0 channel 6
ifconfig wlan0 up

or alternatively the newer ones:

ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up
iw dev wlan0 set channel 6

See the ifconfig vs ip comparison for a side-by-side comparison of the two commands.

Sniffing WiFi traffic

Now the interface is in monitor mode and we can start tshark. Let's say we want to sniff WiFi traffic coming from or going to a particular station. You can specify a display filter in Wireshark syntax using the -R option.

mac="11:22:33:44:55:66"
tshark -i wlan0 -T fields -e frame.time_relative -e wlan.sa -e wlan.da -e radiotap.datarate -e wlan_mgt.ssid -e wlan \
    -R "wlan.ra == $mac || wlan.sa == $mac || wlan.ta == $mac || wlan.da == $mac"

The -T fields together with one or more -e xxx lets the user specify which fields to output. The field names are best found from Wireshark: In the packet details pane navigate to field of interest, right-click and select Copy → Fieldname. Add this field after the -e option, and repeat for other options.

The output below might be the result of the command above. It turns out the station with MAC address 11:22:33:44:55:66 is an Access Point and is beaconing quite irregularly (or our sniffer only captures part of the air traffic).

8.582836000     11:22:33:44:55:66       ff:ff:ff:ff:ff:ff       1      TestAp   IEEE 802.11 Beacon frame, Flags: ........
10.528320000    11:22:33:44:55:66       ff:ff:ff:ff:ff:ff       1      TestAp   IEEE 802.11 Beacon frame, Flags: ........
10.733196000    11:22:33:44:55:66       ff:ff:ff:ff:ff:ff       1      TestAp   IEEE 802.11 Beacon frame, Flags: ........
11.040325000    11:22:33:44:55:66       ff:ff:ff:ff:ff:ff       1      TestAp   IEEE 802.11 Beacon frame, Flags: ........
11.654698000    11:22:33:44:55:66       ff:ff:ff:ff:ff:ff       1      TestAp   IEEE 802.11 Beacon frame, Flags: ........
11.757190000    11:22:33:44:55:66       ff:ff:ff:ff:ff:ff       1      TestAp   IEEE 802.11 Beacon frame, Flags: ........
12.064310000    11:22:33:44:55:66       ff:ff:ff:ff:ff:ff       1      TestAp   IEEE 802.11 Beacon frame, Flags: ........