Last month, we started this series to help you survey and analyze the airwaves with Linux tools. In the first part, we looked at SWScanner after reviewing some basic stumbling and sniffing information. Then in the second part, we discovered KwiFiManager and tcpdump.

Now we're going to use a GUI-based network sniffer/analyzer, Wireshark. Plus we'll discover two intrusion detection tools designed to help detect rogue APs and devices on the network. Lets get started!

Visually sniffing with Wireshark

If you don't particularly enjoy the command-line or are a Linux newbie, you might want to stick with using a GUI-based sniffer. Additionally, using a visual application can provide a faster and more in-depth inspection of your network traffic. We're going to look at Wireshark, a popular cross-platform network analyzer, formally named Ethereal.

Once you open Wireshark, click Capture > Interfaces and click the Start button for the desired interface to start capturing. Packets should start appearing, such as seen in Figure 1. To inspect a packet, select it from the list. Then you can browse through the packet details and see the actual contents in HEX and ASCII.

To prevent Wireshark from resolving hostnames or port names, click Capture > Interfaces and hit the Options button for the desired interface. Then in the bottom-right corner of the Options window, change the Name Resolution settings as you wish.

If you want to understand a TCP connection better, right-click it and select Follow TCP Stream. This should show you the entire conversation in a more human readable format. For example, Figure 2 shows the stream of an email message I sent to myself--this shows why you need to use SSL connections for email; otherwise messages are in clear-text.

Figure 2: Using Wireshark to view a TCP conversation, particularly the sending of a message via SMTP.

Like with tcpdump, you can use filters/expressions in Wireshark. Simply type them in the Filter box, above the packet list, and hit Enter. You can also directly enter a protocol, such as ICMP, DHCP, or FTP, or field name to see all packets involving it. To reference a list of these protocols and fields, click the Expression button. To remove the filter and show all the packets again, click the Clear button.

Discovering Devices on the Network with RogueScanner

While you're sniffing the airwaves or snooping in on the traffic, you might want to take a look at what devices are on the network too. You might find a wireless AP that an employee has plugged in or someone using the network with unauthorized device. There are full-fledged intrusion detection systems (IDS), but sometimes you just want a quick look.

RogueScanner provides a quick and simple list of all IP devices on the network. It will display the MAC addresses and vendor/model information in addition to the IP addresses. Plus the tool factors the variables and outputs a risk score to help you identify possible rouges.

Unfortunately, RogueScanner doesn't provide any alerting features. However, you might want to check into Paglo's full-fleged network management solution--free for use with up to 20 devices. The network discovery tool, Paglo Crawler, is also open source, available for both Windows and Linux.

Next: Getting Real Network Intrusion Detection with Snort »