January 22, 2019

Stumbling and Sniffing Wireless Networks in Linux, Part 1 - page 2

To Stumble or to Sniff, That is the Question

  • October 19, 2009
  • By Eric Geier

Switches can cause sniffing problems

How much network traffic you see when sniffing depends upon how the wired switches on your network work. If you are sniffing via an Ethernet connection and the switch(es) doesn't forward all unicast and multicast traffic (those designated to a single or multi computers) among all the switch ports, you won't see all the traffic on the network. You'd see all traffic addressed to your station, broadcast traffic (sent to all ports), and any multicast packets that apply to your station. You won't see any communication directly between two other stations, unicast traffic to or from other computers.

For wireless sniffing, the switch issue doesn't have such a big affect. If in promiscuous mode, you should still always see traffic to and from stations and the AP you're connected too. Since monitor mode simply captures traffic on channels, the switch issue doesn't apply in this mode.

Stumbling with SWScanner, a NetStumbler look-a-like

If you are impressed by NetStumbler on Windows, you'll be even more astonished by SWScanner in Linux. Like NetStumbler, it scans for and lists all the nearby access points. As Figure 1 shows, you'll see details for each AP, such as the SSID (network name), channel, encryption status, vendor (if detected), and signal strength and noise levels in dBm. It even takes the signal and noise levels and spits back the signal-to-noise ratio (SNR), a good value to use when determining the quality of a signal. Plus it keeps track of the maximum signal and SNR values seen while scanning. SWScanner also provides a separate Statistics view, for a quick overview of the encryption and channel status of the APs, great for large surveys or war drives.

figure 1
figure 1

Figure 1: SWScanner shows details of nearby APs.

Before you start stumbling around with SWScanner, you'll probably have to configure it with the proper wireless interface. On the toolbar, click Tools > Configure SWScanner. Then change the Preselect interface to the one that has the Wi-Fi card, such as ath0, and hit Save.

To begin stumbling, click the Start Scanning (gear) button. To hear a beep when APs are picked up, select the Sound on checkbox near the top of the window. After a fair amount of APs are detected, you may want to sort them by clicking on the Channel, ESSID, MAC, or WEP filter entries on the left. For details on any current wireless connection, refer to the status area on the bottom left. When you're tired of seeing the AP list, hit the Clear List (eraser) button.

We pretty much toured the entire interface, besides the GPS feature. If you do have a GPS unit and want to record the positioning info for each AP, click Tools > Configure SWScanner and configure the settings. Then back on the main window, hit the Start GPS button to select a location to separately store the log.

Stay tuned--next week, we'll stumble (and manage our Wi-Fi) with KwiFiManager and we'll sniff at the command-line with tcpdump.

Eric Geier is an author of many computing and networking books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft Windows Vista (Que 2007).

Most Popular LinuxPlanet Stories