Wireshark-dev: [Wireshark-dev] I want to make a specific sniffer based on Wireshark/Tshark
From: Yohannes Affandy Siregar <sir.yohannes@xxxxxxxxxxx>
Date: Thu, 19 Jan 2012 18:13:36 +0800 (SGT)
Hi fellow developers!

Since I haven't received any response yet, I want to re-post it to this mailing-list.

So, I want to make my own packet sniffer based from Wireshark or Tshark. It should only read my RFID tag which transmits probe requests using 802.11 protocol and bypass any other data. I know that Wireshark has packet capture filter, but I need to make more than a filter for my Last Project. I need to develop my own sniffer in Linux OS. Although my programming skill is not perfect, but I can code.

The probe requests, though, differ from other wifi node's,
such as laptops, probe request. There are two things which are different:
1. the t
he radiotap header
2. the destination address and the BSS Id

1. The radiotap header of the tag is instead same with
AP's probe response on which the present flags is 2f 48 00 00. whilst my laptop's probe request is 04 80 02 00. So, I think I can identify my tag by its radiotap header and frame control. How can I filter out the radiotap header? Do I need to make my own dissector?

2. The destination address and the BSS Id of the tag's probe request is set to be broadcast (i.e ff ff ff ff ff ff). It differs from other node's Probe Request which is MAC address of target AP.

So, based on this terms, where can I start? what environment is the best to code and test my program? I'm using Backtrack 5 r1 as my OS. Is it good for programming or I should change it? I use BT because wireshark adn aircrack is already built up there.

One more thing, I need to use "airmon-ng start wlan0" to make my laptop's wireless adapter become in promiscuous mode. Can I add this capability to my packet sniffer?

Thanks.

Sincerely yours,




Yohannes A. Siregar
13207200
Electrical Engineering 2007
Bandung Institute of Technology
cellphone: +62-856-9767-1516
home phone: +62-21-821-2045

Dari: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Kepada: Yohannes Affandy Siregar <sir.yohannes@xxxxxxxxxxx>; Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Dikirim: Rabu, 21 Desember 2011 15:14
Judul: Re: [Wireshark-dev] Student Project. I want to reduce and add some functionalities in Wireshark.

On 2011-12-21 05:39, Yohannes Affandy Siregar wrote:

> Greetings fellow developers!
>
> I'm a student taking Electrical Engineering specializing Computer
> Engineering and am still learning a lot about Wireless and Programming..
> I'm working on my last project in University.
>
> I now have to make a packet sniffer program which utilizes wireless
> adapter in my laptop to read an RFID tag using 802.11 b/g protocol.
> Using Backtrack 4 r2 as my OS, I could put my wifi adapter into monitor
> mode and then used Wireshark to read the presence of the tag. It transmits
> probe request and data inside it.. I already could see it. But, that's
> not enough. Now, my professor wants me to make Wireshark to read only my
> tag and not other WAP. Also he wants it to read the tag just once in a
> period of time. and, I need to parse the MAC address of the tag too.. my
> sniffer program has to proceed the MAC Address of the tag to a database
> center.
>
> Can I change the source code of Wireshark to do those things: reads only
> from specific type of clients, filters MAC address so that no same MAC
> address recorded, and proceeds the MAC address and info in the tag to a
> database server? Has anyone ever done this before?
>
> Thank you very much...
>
> Sincerely yours,
> Yohannes A. Siregar

Hi,

> .... Now, my professor wants me to make Wireshark to read only my
> tag and not other WAP.

How do you identify 'my tag' apart from all other transmissions?
Assuming by MAC address you can setup a capture filter for it.


> Also he wants it to read the tag just once in a period of time.

Assuming you filtered away all other traffic you could setup a display
filter for that, working of the frame delta time.


> and, I need to parse the MAC address of the tag too.

Which brings us back to the first question: how to identify your tag
if you can't work from the MAC address?


> my sniffer program has to proceed the MAC Address of the tag to a database
> center.

Wireshark does GUI output, not helpful in this case. What you should look at
then in tshark. It does the same thing, just text based. Much easier for
online processing of captured info.

Thanks,
Jaap