Back to article
Stumbling and Sniffing Wireless Networks in Linux, Part 1
To Stumble or to Sniff, That is the Question
October 19, 2009
Do you need to stumble or sniff networks? Do you need to do a Wi-Fi site survey, troubleshoot network annoyances, or make sure your employees (or children) aren't misusing the Internet? Sure you can spend hundreds or thousands of dollars on commercial network analyzers--usually for Windows--but Linux and the open source community offer some great tools.
In this article, we'll discover and tour a few different stumblers and sniffers that run on Linux. We'll also touch on some general stumbling and sniffing information. You're on your way to a free and open site survey, war-drive, or network troubleshooting experience. Now let's get started!
To stumble or to sniff, that is the question
Before we begin tinkering with the tools, you should clearly understand the differences between stumbling and sniffing. They are two very different activities, whereas each requires a different kind of tool--we aren't talking about body parts.
When you want to see what wireless access points (APs) are in the area and their status, such as signal strength or encryption, you want to stumble. You can even use stumblers as the chief tool when designating or evaluating the location of APs on a wireless network. Additionally, you can stumble around your office--while not actually tripping--to find rogue APs. These are APs that haven't been installed by the network team or have been reset and are exposing your network. For personal motives, you can also use stumblers to war drive. This means you drive (or walk or sit) around in public to detect everyone's networks.
When you want to dive much deeper into networks, you use sniffers. Instead of stumbling upon details derived from only network beacons, sniffers take a big whiff of the actual raw network traffic. You see each individual packet. Additionally, sniffers can do some analyzing. They can also serve as an intrusion detection system. Some keep track of legitimate and rogue APs, so you don't have to do it manually, stumbling and lurching around the office. They could also report on the network's performance, and in strange cases sniffers may even detect foul odors.
The sniffing modes: monitor or promiscuous
Depending upon what wireless card you use, your wireless sniffing experience will differ dramatically. Normally, network cards are only supposed to receive packets addressed to them, while connected to a network. However, with the right chipset (network card), loaded with the right drivers, you may be able to capture in monitor or promiscuous mode.
In monitor mode, you can capture packets from the wireless channels without being connected to a particular network. In promiscuous mode, you can still see the entire wireless network's traffic, but must be associated with it. If you are working with your network, promiscuous mode should be fine. However, not all wireless cards even support this mode.
If you find your current setup doesn't provide the capturing mode you want, check with the sniffer developer to see what chipsets (network cards) and drivers they recommend. You might also want to reference this listing of cards and their specs.Additionally, Wikipedia has a comparison of open source wireless drivers.