Sniffing on a raspberry pi

So after a twitter back and forth with Craig Schnarrs (@the_wifi_guy) I felt it would be helpful to show others how I got sniffing working on my raspberry pi with a Tenda W311M usb wireless card. This is going to be a “from scratch” deal since I don’t want to pooch my current install on another card and i’m writing this along with performing the actions so the output copies here accurately. Also note that I scrub a bunch of output from the cli because I don’t want a 50 page post. The input is left in there so you can cut and paste if needed. Here goes..

First I’m grabbing the latest and greatest rasbian wheezy build from the rpi page.

I’m actually doing a wget in to my linux vm to get this started. Personally any time I write to flash cards and use dd I try to do it in a linux vm. That idiot-proofs things for me pretty well so I don’t do something nasty to my main machine. For these purposes I have a cheapo usb to multi-card reader that gets passed through in vmware player.

colin@python-dev:~$ mkdir temp
colin@python-dev:~$ cd temp/
colin@python-dev:~/temp$ wget http://**put your own mirror link here**
colin@python-dev:~/temp$ unzip

Optionally you can wipe your flash drive if you move them around a lot like I do and might have extra garbage on there. I typically like gparted due to laziness and the ability for graphical verification.

Use fdisk and/or dmesg to figure out where my flash is and then dd to the target (this will take some time, 33 min in my case).

colin@python-dev:~/temp$ sudo fdisk -l

Disk /dev/sdc: 7958 MB, 7958691840 bytes
151 heads, 15 sectors/track, 6862 cylinders, total 15544320 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00096c65

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1            2048    15544319     7771136   83  Linux

colin@python-dev:~/temp$ sudo dd if=./2012-07-15-wheezy-raspbian.img of=/dev/sdc bs=512
3788800+0 records in
3788800+0 records out
1939865600 bytes (1.9 GB) copied, 2022.43 s, 959 kB/s

Remove flash card from reader, shutdown vm, stick in rpi and boot. I won’t go over how to do the setup menu so just google if you’re having issues. Once in a shell on the rpi, plug in the wifi nic and lets take a look at what dmesg and lsusb tells us about this Tenda card.

pi@raspberrypi ~ $ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0424:9512 Standard Microsystems Corp.
Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp.
Bus 001 Device 005: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter

pi@raspberrypi ~ $ sudo dmesg
[  470.710776] usb 1-1.3: USB disconnect, device number 4
[  745.375862] usb 1-1.2: new high speed USB device number 5 using dwc_otg
[  745.493792] usb 1-1.2: New USB device found, idVendor=148f, idProduct=5370
[  745.493829] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  745.493849] usb 1-1.2: Product: 802.11 n WLAN
[  745.493875] usb 1-1.2: Manufacturer: Ralink
[  745.493891] usb 1-1.2: SerialNumber: 1.0
[  745.592082] cfg80211: Calling CRDA to update world regulatory domain
[  745.815877] usb 1-1.2: reset high speed USB device number 5 using dwc_otg
[  745.994044] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[  745.998921] Registered led device: rt2800usb-phy0::radio
[  745.999536] Registered led device: rt2800usb-phy0::assoc
[  746.000099] Registered led device: rt2800usb-phy0::quality
[  746.002914] usbcore: registered new interface driver rt2800usb

So I cheated a bit when I went to microcenter to stock up for my rpi. I had this and google with me. From that I was able to find the cheapest/smallest card I could, lookup the chipset, then check it against the wiki. Notice the “M” isn’t specifically mentioned in the wiki but I knew the chipset was all good so I proceeded with my purchase. Heck, it was < $10 so I would have found another use if not for this guy.

Now that we’re verified the chipset, let’s get to work installing a few things to make sniffing easier. Monitor mode can work out of the box sometimes but I’ll be damned if I can recall the proper syntax all the time. So, like most things, I’m lazy and I cheat by using tools that already exist. Let’s install iw and tshark (or wireshark if you insist on doing any of this in a gui). The build-essential package is already included but if you’re using some other pre-done image you may need to install it as well.

pi@raspberrypi ~ $ sudo apt-get install iw tshark

After the few minutes that takes, we’ll get to the secret sauce. I really like the airmon-ng tool to cleanly build and tear down monitor instances for me. I also like to use the latest version of the code so we’ll have to install subversion first to check it out.

*** Update ***
Check this post for an update if aircrack fails compiling due to a missing openssl lib.
*** /Update ***

pi@raspberrypi ~ $ sudo apt-get install subversion
pi@raspberrypi ~ $ svn co aircrack-ng
Checked out external at revision 2177.
Checked out revision 2177.
pi@raspberrypi ~ $ cd aircrack-ng

Let’s compile and install (be patient)

pi@raspberrypi ~/aircrack-ng $ make
pi@raspberrypi ~/aircrack-ng $ sudo make install

For good measure I also update the OUI tool in case I need to spoof a MAC later.

pi@raspberrypi ~/aircrack-ng $ sudo airodump-ng-oui-update
[*] Downloading IEEE OUI file...
[*] Parsing OUI file...
[*] Airodump-ng OUI file successfully updated

Ok, we’re almost there. I’ll fire up a monitor interface for tshark (or your sniffer of choice) to use. airmon-ng will probably bitch about dhclient, ifplugd, and/or other things that may automagically do weird stuff to new interfaces. Kill at your own discretion/peril.

pi@raspberrypi ~/aircrack-ng $ sudo airmon-ng start wlan0 6

Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID     Name
1011    ifplugd
1031    ifplugd
1278    dhclient
2603    ifplugd
Process with PID 2603 (ifplugd) is running on interface wlan0

Interface       Chipset         Driver

wlan0           Ralink RT2870/3070      rt2800usb - [phy0]
                                (monitor mode enabled on mon0)

Now let’s do a demo sniff to just grab some probe requests.

pi@raspberrypi ~/aircrack-ng $ sudo tshark -i mon0 subtype probereq

Everything goes smoothly so rather than show output, here’s the same request written to a capture (sudo tshark -i mon0 subtype probereq -w /tmp/rpi-cap.pcap), scp’d over to my windows machine, and opened in wireshark.

Tear down your monitor interface when you’re finished if you’d like.

pi@raspberrypi ~/aircrack-ng $ sudo airmon-ng stop mon0

Interface       Chipset         Driver

wlan0           Ralink RT2870/3070      rt2800usb - [phy0]
mon0            Ralink RT2870/3070      rt2800usb - [phy0] (removed)

Add a few more sub-$10 wifi cards, a powered usb hub, and a battery and you’ve got a pretty small rig to help troubleshoot stuff like roaming issues.


26 thoughts on “Sniffing on a raspberry pi

  1. Thanks Colin.

    I could not compile aircrack-ng, because openssl was missing. “sudo apt-get-install libssl-dev” did the trick

    raspberry on!!

  2. Hi there! Thank you very much for this post, this helped a lot, especially for the compile error fix. I am building my own pen-testing based on Raspbian Wheezy, since using PwnPi is very slow, even slower on GUI, and I’m not really using everything included there.

    ATM I have installed aircrack-ng, reaver, kismet, and wireshark (the four applications that I use the most, and is enough to crack a WEP/WPA).

      • This seemed to work for me using the raspbian image. Install then compile away from source as usual.

        apt-get install libpcap-dev libsqlite3-dev

  3. I’ve got everything installed and (almost) working. The only problem is that when I use airmon-ng it doesn’t give my monitor a name, such as mon0. All I get is “monitor mode enabled.” I’ve tried using mon0 in its place, and wlan0, but neither work. Any ideas what my monitor is named, or how I can remedy the situation?

      • i had this problem with one of the Edimax wifi nics i had. Seems to me that when the card is incapable of monitoring, even though the “monitor mode enabled” pops up, the mon0 interface won’t show up. I retried this with an Alfa AWUS036H and had no problem getting the mon0 interface to appear.

      • airmon will only assign a mon0 if your wificard supports permiscuous (moniitor) mode. It is a setting built into the chipset. some cards will work some wont.

  4. This looks very interesting. I’ve been trying to hunt down a local supplier of usb wifi dongles that has a chipset that works. Resorted to buy and try. Wound up with a RTL8188CUS which wont allow monitor mode. Probably going to buy on line somewhere the exact model you have in hopes of getting going.

    One thing I was wondering though, could you confirm what information is available from the captured packets. Specifically, can you see the mac addresses of the other end user devices (not just the access points)? Do you get any information on the other users signal strength? I was hoping to use this to get a sense of the amount of transmit power any given user has a the receiver location.

    I presume that in monitor mode, you cant be using the same WiFi dongle for sending data simultaneously? So if I wanted to be interactive with the pi while capturing, it would require either the Ethernet connector or a second WiFi stick?

    Thanks for an informative post!

  5. Hi there, can confirm that this works on Pi using Alfa AWUS036H perfectly

    Thanks LOADS – had been trying to get aircrack installed & the debian libraries simply don’t work – been going round in circles for DAYS!

    This compiled and installed perfectly first time!

    Very very pleased – thanks so much.

    PS to patrick – yes, reaver works perfectly on Pi :-) Also tried PwnPi – very nice distro but yes, slooooow. And also has probs with x11vnc which is my planned remote link to the Pi.

  6. hi
    for me the rt5370 driver worked with airodump and aireplay but didn’t work with reaver. With reaver it always writes: “WARNING: Failed to associate with”
    but with a other wlan-device (rtl8187) it works perfect.
    do you know why and have any tips how to solve this?

  7. may I ask that, the wifi card you used, the pcap file include “Prism headers” ?? I need RSSI velue, but I can’t get it with my zd1211 card

  8. I have the problem that the library of libssl-dev is not found on the main wheezy mirrors. Is there a way to get a different mirror for the raspbian library?

  9. when i try and do the make for aircrack I get the following error any ideas?

    common.mak:85: *** Cannot find development files for any supported version of libnl. install either libnl1 or libnl3.. Stop.

    • to answer my own question I got it complied using the following

      sudo apt-get install libnl-3-200 libnl-3-dev libnl-3-doc libnl-genl-3-dev libnl-genl-3-200

  10. Thank you for such a great guide and I wouldn’t have got as far as I have without it. I have followed your guide and I seem to have the exact same wifi adapter or at least it reports the same ( idVendor=148f, idProduct=5370).

    I get all the way through the guide however when I run tshark I can only seem to get broadcast traffic reported and no other IP traffic at all.

    Can anyone suggestion how to get the ip traffic? I am mainly interested in monitoring website requests so have used the following command but I just nothing is logged.

    sudo tshark -i mon0 -c 100 ip and tcp port 80 or tcp port 443 -V -R “http.request || http.response”

    if I use a more baisc command like the following
    sudo tshark -i mon0 -c 100 ip

    Then I can only see broadcast
    45.673372 Dell_90:3f:05 -> Datawire_a2:43:ab 802.11 147 QoS Data, SN=728, FN=0, Flags=.p….F.

    lssub gives this :
    Bus 001 Device 004: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter

    if config give this:
    mon0 Link encap:UNSPEC HWaddr 00-0F-55-A2-43-AB-00-00-00-00-00-00-00-00-00-00
    RX packets:7256 errors:0 dropped:4652 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1636621 (1.5 MiB) TX bytes:0 (0.0 B)

    wlan0 Link encap:Ethernet HWaddr 00:0f:55:a2:43:ab
    RX packets:4015 errors:0 dropped:9 overruns:0 frame:0
    TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:395965 (386.6 KiB) TX bytes:3061 (2.9 KiB)

    iwconfig gives this:
    wlan0 IEEE 802.11bgn ESSID:”TALKTALK-C52828″
    Mode:Managed Frequency:2.412 GHz Access Point: 80:B6:86:C5:28:30
    Bit Rate=135 Mb/s Tx-Power=20 dBm
    Retry long limit:7 RTS thr:off Fragment thr:off
    Power Management:on
    Link Quality=61/70 Signal level=-49 dBm
    Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
    Tx excessive retries:8 Invalid misc:72 Missed beacon:0

    mon0 IEEE 802.11bgn Mode:Monitor Tx-Power=20 dBm
    Retry long limit:7 RTS thr:off Fragment thr:off
    Power Management:on

    • Your wlan0 adapter needs to be set into “Monitor” mode. (no Managed mode !)
      This can be done with:
      ifconfig wlan0 down
      iwconfig wlan0 mode monitor
      ifconfig wlan0 up

      iwconfig wlan0 should now show “Monitor” under mode and it should run fine !

      • I think he has mon0 interface configured as monitor mode, right?

        I have exactly the same problem with RT5370 in RPi. Can not seem to capture TCP traffic.. Did you find a solution?

  11. Just as a note, to get mine running I made sure that the Tenda (from ebay) was in the lower USB slot and the following required to fire it up and get it capturing

    sudo airmon-ng start wlan0 6

    I got the message
    tshark: The capture session could not be initiated (No such device exists).

    as it stated that the interface was wlan0mon I used this for tshark
    sudo tshark -i wlan0mon subtype probereq
    and it worked fine, now to tackle batches of files for later processing when left running remotely

  12. I use this command to collect data, and deliver it in a CSV format

    sudo tshark -i wlan0mon subtype probereq -l -T fields -e frame.number -e frame.time -e -e wlan.da -e wlan_mgt.ssid -E quote=d -E separator=,

  13. Hi, I have one question, I have done access point mapping using airodump-ng, so i have collected so many aps, with different encryption some of are open aps. Is there any tools or web services are available for visualization ?
    I found this website but is there any other sources are available ?


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code lang=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" extra="">