0

So my question is , I have been trying to work with scapy by sniffing packets going in and out of my computer using a simple sniff() and print pkt.summary() everything is going well then I wanted to go a bit further so I put my wifi adapter in to monitor mode to catch other packets only that the packets I am catching seem to be different , I can not get any info from them , how can these packets be used and can I catch TCP/UDP packets being sent from other devices like I did when I was sniffing my computers packets ? I am a bit new to all this packet monitoring and its usage so please go easy.

what i get when i print pkt.summary() and pkt.show() :

    RadioTap / 802.11 Management 4L 98:0c:82:4c:XX:XX > ff:ff:ff:ff:ff:ff / Dot11ProbeReq / SSID='TELENETHOMESPOT' / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt
    ###[ RadioTap dummy ]###
    version   = 0
    pad       = 0
    len       = 18
    present   = Flags+Rate+Channel+dBm_AntSignal+Antenna+b14
    notdecoded= '\x10\x02\x99\t\xa0\x00\xd3\x05\x00\x00'
    ###[ 802.11 ]###
    subtype   = 4L
    type      = Management
    proto     = 0L
    FCfield   = 
    ID        = 0
    addr1     = ff:ff:ff:ff:ff:ff
    addr2     = 98:0c:82:4c:XX:XX
    addr3     = ff:ff:ff:ff:ff:ff
    SC        = 55360
    addr4     = None
    ###[ 802.11 Probe Request ]###
    ###[ 802.11 Information Element ]###
           ID        = SSID
           len       = 15
           info      = 'TELENETHOMESPOT'
    ###[ 802.11 Information Element ]###
              ID        = Rates
              len       = 4
              info      = '\x02\x04\x0b\x16'
    ###[ 802.11 Information Element ]###
                 ID        = ESRates
                 len       = 8
                 info      = '\x0c\x12\x18$0H`l'
    ###[ 802.11 Information Element ]###
                    ID        = 45
                    len       = 26
                    info      = '\x0c\x10\x19\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
###[ 802.11 Information Element ]###
                       ID        = DSset
                       len       = 1
                       info      = '\x0b'
    ###[ 802.11 Information Element ]###
                          ID        = vendor
                          len       = 9
                          info      = '\x00\x10\x18\x02\x00\x00\x00\x00\x00'
    ###[ 802.11 Information Element ]###
                             ID        = vendor
                             len       = 30
                             info      = '\x00\x90L3\x0c\x10\x19\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
    ###[ 802.11 Information Element ]###
                                ID        = 138
                                len       = 37
                                info      = '\xf5x'
gsp8181
  • 358
  • 1
  • 2
  • 11
Amr El Aswar
  • 3,395
  • 3
  • 23
  • 36
  • Do you have WPA encryption on the wireless network you are trying to capture packets from? That would prevent you from seeing anything useful in packets from other devices – gsp8181 Apr 26 '15 at 15:25
  • @gsp8181 yes but I have the key but i do not know how to decrypy the data from these packages, I have also tried this on a hotspot and the packets I am getting are the same i will update the question with an exemple in a sec. – Amr El Aswar Apr 26 '15 at 16:11
  • @gsp8181 I have added an exemple of the packet I am collecting from a hotspot – Amr El Aswar Apr 26 '15 at 16:30

1 Answers1

0

That packet is a type of 802.11 management frame, more specifically a Probe response frame, it is very similar to a beacon frame. When a wireless user wishes to know information about the access point, they send a probe request, and the access point may send a probe response back. It gives information such as SSID, rates, capabilities and other parameters.

If you are trying to decrypt WPA encrypted traffic, it gets a little harder. All traffic by users associated by the AP will be scrambled. If you wish to decrypt it, save the packet to a .pcap file and use a tool such as airdecap-ng on the file.

If you are associated with the wireless network, it would be far easier to perform an ARP poisoning attack using a program such as ettercap. This will trick the other computers on the network to forwarding traffic through your computer, which can then be inspected as if it was going through your own computer. (Make sure you have permission from the other users if there is any!)

gsp8181
  • 358
  • 1
  • 2
  • 11
  • But how come I am only catching packets like these? Can these also be tcp/udp packets going from the router to the user or vice versa ? And would there be a way in python to directly decrypt these packets ? @gsp8181 – Amr El Aswar Apr 26 '15 at 17:12
  • Is there anything else using the connection? Try connecting to another device, I am sure that scapy should show all frames and not just management frames – gsp8181 Apr 26 '15 at 17:22
  • I am not sure if this could be causing it but i added this to get packets from only that AP : `if "TELENETHOMESPOT" in pkt.summary() :` could this be causing that ? @gsp8181 – Amr El Aswar Apr 26 '15 at 17:31
  • Also how come it is encrypted when the AP is a hotspot with no security ? sorry for the questions just need some enlightenment – Amr El Aswar Apr 26 '15 at 18:02