Capture WiFi / WLAN / 802.11 Probe Request with tcpdump

A Probe Request is a special type of WLAN frame sent from a terminal-device (for example your smartphone) to ask all AP nearby for their presence. This allows you to find out if smartphone or other wifi enable devices are close to you. Since many users want to use the Probe Request to identify devices:
The Probe Request  can includes the mac address of the target router aswell as the mac address of the device itself. BUT since a few years Apple started sending random mac addresses on the IPhone. This makes unique idenitification impossible on a IPhone that is not assigned to a WLAN Network. On Android it is also possible to randomize the mac address. 
However here is how to capture 802.11 Probe Requests with tcpdump:
1. Download and install tcpdump ! (On MacOS usually preinstalled)

sudo apt-get install tcpdump

2. Set your wifi controller to monitor mode. (not 100% sure if this is necessary but i also enabled the promiscuous mode)

sudo ifconfig wlan0 promisc

iwconfig wlan0 mode monitor  (you can also use airmon-ng) or work around with dumpcap

sudo dumpcap -I -i wlan0

wait a moment and then press ctrl + c 😉
3. Start tcpdump

tcpdump -i wlan0 -e -s 256 type mgt subtype probe-resp or subtype probe-req

or with filter of some MAC adresses and saving a .pcap file (you can analyse the pcap later with wireshark)

sudo tcpdump -i wlan0 -w cap-all-xmeter-barriers.pcap -e -s 0 type mgt subtype probe-req and not \(ether host 08:08:08:08:11:22 and ether host 10:23:08:08:22:ac\)

(# of probe request over time on a Nexus4)
For my experiments i’m using a Alfa AWUS036NH WLAN Adapter. I can totally recommend it.
When you get this error:
tcpdump: 802.11 link-layer types supported only on 802.11
You need to set the linktype:

tcpdump -i wlan0 --linktype=IEEE802_11 -e -s 256 type mgt subtype probe-resp or subtype probe-req



3 Kommentare zu “Capture WiFi / WLAN / 802.11 Probe Request with tcpdump

  1. I’m doing something a bit different a more detailed.

    I’m using the command:

    tcpdump -l -I -i en0 -e -s 0 ‚type mgt and subtype beacon‘ -w beacon.pcap -c 500 -vvv capture wifi beacons from my MAC. I’m looking for a way to parse detailed info from the pcap file. The details that I need:

    Tag: QBSS Load Element 802.11e CCA Version
    Tag Number QBSS Load Element (11)
    Tag length: 5
    QBSS Version: 2
    Station Count: 0 <—— Need this
    Channel Utilization: 39 (15%). <—— Need this
    Available Admission Capacity: 0 (0 us/s)

    BUT, I need to do this for a specific BSSID.

    To summarize my goal:
    Need to capture beacons from my MAC. Read the capture file, filtering on the BSSID. Then somehow dump out the QBSS info.

    Note: I will be using the solution in a shell script that will be exported to other MACs. Tshark is not an option.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.