Remote WiFi packet analysis with Wireshark

Sometimes you need to get packets from somewhere awkward, but you want to be able to stream them and do live analysis. Rather than dump to a file and ship that around Wireshark supports a bunch of modes to get remote captures, they are detailed on the Pipes Wireshark Wiki Page .

I want to be able to get Air packets (WIFI!) from OpenWRT, but think about them on my FreeBSD desktop.

I bought the OpenWRT One router for just this sort of thing. A well supported, modern hardware platform that also supports the OpenWRT project with money - who could resist.

OpenWRT Setup

The OpenWRT One router ships as a home router, with a 'secured' wan port and WiFi bridged with Ethernet on a LAN port, WiFi is disabled out the box. I'm pretty happy for the router to hang our on my network with the wan port facing my internal network and the LAN port for testing devices.

For my setup I needed to enable control on the wan port in the firewall and add rules for my PCAP server. Then I needed to configure monitor mode on the WiFi interfaces.

After a first set up, where I was made to configure a password I was locked out. A quick reset (hold the front button while powering on) returned me to some soft of factor default with the lUCI web interface uninstalled.A

That actually suits me fine - now I have to configure stuff on the command line I won't get confused by buttons.

I added rules to the WAN interface to allow SSH in and TCP connections to port 19000 by adding the following to /etc/config/firewall :

# allow ssh on wan port
config rule
    option name     Allow-ssh-wan
    option src      wan
    option dest_port    22
    option proto        tcp
    option target       ACCEPT

# allow serving pcap from netcat on wan port
config rule
    option name     Allow-pcap-wan
    option src      wan
    option dest_port    19000
    option proto        tcp
    option target       ACCEPT

And then reloaded firewall configuration by running

root@OpenWrt:~# /etc/init.d/firewall reload

I tested this works by ssh'ing in on the wan interface.

I then set up WiFi by editing /etc/config/wireless and changing the mode of default_radio0 to 'monitor' and changing 'disabled' to '0':

config wifi-device 'radio0'
    option type 'mac80211'
    option path 'platform/soc/18000000.wifi'
    option band '2g'
    option channel '6'
    option htmode 'HE20'
    option num_global_macaddr '7'
    option disabled '0'

config wifi-iface 'default_radio0'
    option device 'radio0'
    option network 'lan'
    option mode 'monitor'
#   option ssid 'OpenWrt'
#   option encryption 'none'

Running

root@OpenWrt:~# /etc/init.d/wireless restart

gave me a new interface in ifconfig:

phy0-mon0 Link encap:UNSPEC  HWaddr XX-XX-XX-XX-XX-XX-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8064610 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2521292141 (2.3 GiB)  TX bytes:0 (0.0 B)

pcaping

The easiest way to remotely get packets into Wireshark ssh'ing to somewhere an pulling stuff back over the socket, Wireshark has a builtin method for this via the sshdump extcap. Not all platforms package up all the Wireshark tools, FreeBSD is missing a lot of these and my capture target OpenWrt doesn't seem to have any.

I really don't want to build my own FreeBSD packages and I refuse to build my own OpenWrt ones.

After some long thoughts looking over the Wireshark capture modes I figured that I could feed packets from tcpdump into netcat and then let Wireshark pull them over the network.

From OpenWRT you need to install, netcat and tcpdump:

root@OpenWrt:~# apk add netcat tcpdump

With remote hosts being able to connect to the listener with the firewall rule (above) i could now run tcpdump and feed traffic into netcat:

root@OpenWrt:~# tcpdump -i phy0-mon0 --immediate-mode -U -w - | nc -l -p 19000

Wireshark can now connect to my remote host (192.168.4.34 as an example):

wireshark -k -i TCP@192.168.1.34:19000

OpenWrt netcat is jarringly different to FreeBSD (from openbsd) netcat, once I figured that out I was in business and started getting packets from the air from OpenWrt.

My work on FreeBSD is supported by the FreeBSD Foundation , you can contribute to improving FreeBSD with code, documentation or financially by donating to the FreeBSD Foundation .