So after a twitter back and forth with Craig Schnarrs (@the_wifi_guy) I felt it would be helpful to show others how I got sniffing working on my raspberry pi with a Tenda W311M usb wireless card. This is going to be a “from scratch” deal since I don’t want to pooch my current install on another card and i’m writing this along with performing the actions so the output copies here accurately. Also note that I scrub a bunch of output from the cli because I don’t want a 50 page post. The input is left in there so you can cut and paste if needed. Here goes..
First I’m grabbing the latest and greatest rasbian wheezy build from the rpi page.
I’m actually doing a wget in to my linux vm to get this started. Personally any time I write to flash cards and use dd I try to do it in a linux vm. That idiot-proofs things for me pretty well so I don’t do something nasty to my main machine. For these purposes I have a cheapo usb to multi-card reader that gets passed through in vmware player.
colin@python-dev:~$ mkdir temp
colin@python-dev:~$ cd temp/
colin@python-dev:~/temp$ wget http://**put your own mirror link here**
colin@python-dev:~/temp$ unzip 2012-07-15-wheezy-raspbian.zip
Optionally you can wipe your flash drive if you move them around a lot like I do and might have extra garbage on there. I typically like gparted due to laziness and the ability for graphical verification.
Use fdisk and/or dmesg to figure out where my flash is and then dd to the target (this will take some time, 33 min in my case).
colin@python-dev:~/temp$ sudo fdisk -l
Disk /dev/sdc: 7958 MB, 7958691840 bytes
151 heads, 15 sectors/track, 6862 cylinders, total 15544320 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00096c65
Device Boot Start End Blocks Id System
/dev/sdc1 2048 15544319 7771136 83 Linux
colin@python-dev:~/temp$ sudo dd if=./2012-07-15-wheezy-raspbian.img of=/dev/sdc bs=512
3788800+0 records in
3788800+0 records out
1939865600 bytes (1.9 GB) copied, 2022.43 s, 959 kB/s
Remove flash card from reader, shutdown vm, stick in rpi and boot. I won’t go over how to do the setup menu so just google if you’re having issues. Once in a shell on the rpi, plug in the wifi nic and lets take a look at what dmesg and lsusb tells us about this Tenda card.
pi@raspberrypi ~ $ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0424:9512 Standard Microsystems Corp.
Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp.
Bus 001 Device 005: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
pi@raspberrypi ~ $ sudo dmesg
[ 470.710776] usb 1-1.3: USB disconnect, device number 4
[ 745.375862] usb 1-1.2: new high speed USB device number 5 using dwc_otg
[ 745.493792] usb 1-1.2: New USB device found, idVendor=148f, idProduct=5370
[ 745.493829] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 745.493849] usb 1-1.2: Product: 802.11 n WLAN
[ 745.493875] usb 1-1.2: Manufacturer: Ralink
[ 745.493891] usb 1-1.2: SerialNumber: 1.0
[ 745.592082] cfg80211: Calling CRDA to update world regulatory domain
[ 745.815877] usb 1-1.2: reset high speed USB device number 5 using dwc_otg
[ 745.994044] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[ 745.998921] Registered led device: rt2800usb-phy0::radio
[ 745.999536] Registered led device: rt2800usb-phy0::assoc
[ 746.000099] Registered led device: rt2800usb-phy0::quality
[ 746.002914] usbcore: registered new interface driver rt2800usb
So I cheated a bit when I went to microcenter to stock up for my rpi. I had this and google with me. From that I was able to find the cheapest/smallest card I could, lookup the chipset, then check it against the wiki. Notice the “M” isn’t specifically mentioned in the wiki but I knew the chipset was all good so I proceeded with my purchase. Heck, it was < $10 so I would have found another use if not for this guy.
Now that we’re verified the chipset, let’s get to work installing a few things to make sniffing easier. Monitor mode can work out of the box sometimes but I’ll be damned if I can recall the proper syntax all the time. So, like most things, I’m lazy and I cheat by using tools that already exist. Let’s install iw and tshark (or wireshark if you insist on doing any of this in a gui). The build-essential package is already included but if you’re using some other pre-done image you may need to install it as well.
pi@raspberrypi ~ $ sudo apt-get install iw tshark
After the few minutes that takes, we’ll get to the secret sauce. I really like the airmon-ng tool to cleanly build and tear down monitor instances for me. I also like to use the latest version of the code so we’ll have to install subversion first to check it out.
*** Update ***
Check this post for an update if aircrack fails compiling due to a missing openssl lib.
*** /Update ***
pi@raspberrypi ~ $ sudo apt-get install subversion
pi@raspberrypi ~ $ svn co http://trac.aircrack-ng.org/svn/trunk aircrack-ng
Checked out external at revision 2177.
Checked out revision 2177.
pi@raspberrypi ~ $ cd aircrack-ng
Let’s compile and install (be patient)
pi@raspberrypi ~/aircrack-ng $ make
pi@raspberrypi ~/aircrack-ng $ sudo make install
For good measure I also update the OUI tool in case I need to spoof a MAC later.
pi@raspberrypi ~/aircrack-ng $ sudo airodump-ng-oui-update
[*] Downloading IEEE OUI file...
[*] Parsing OUI file...
[*] Airodump-ng OUI file successfully updated
Ok, we’re almost there. I’ll fire up a monitor interface for tshark (or your sniffer of choice) to use. airmon-ng will probably bitch about dhclient, ifplugd, and/or other things that may automagically do weird stuff to new interfaces. Kill at your own discretion/peril.
pi@raspberrypi ~/aircrack-ng $ sudo airmon-ng start wlan0 6
Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
Process with PID 2603 (ifplugd) is running on interface wlan0
Interface Chipset Driver
wlan0 Ralink RT2870/3070 rt2800usb - [phy0]
(monitor mode enabled on mon0)
Now let’s do a demo sniff to just grab some probe requests.
pi@raspberrypi ~/aircrack-ng $ sudo tshark -i mon0 subtype probereq
Everything goes smoothly so rather than show output, here’s the same request written to a capture (sudo tshark -i mon0 subtype probereq -w /tmp/rpi-cap.pcap), scp’d over to my windows machine, and opened in wireshark.
Tear down your monitor interface when you’re finished if you’d like.
pi@raspberrypi ~/aircrack-ng $ sudo airmon-ng stop mon0
Interface Chipset Driver
wlan0 Ralink RT2870/3070 rt2800usb - [phy0]
mon0 Ralink RT2870/3070 rt2800usb - [phy0] (removed)
Add a few more sub-$10 wifi cards, a powered usb hub, and a battery and you’ve got a pretty small rig to help troubleshoot stuff like roaming issues.