wireless sniffer streaming to a server

steen · Sat Apr 11, 2015 11:03 am

Hello Folks!

I try to setup a wireless sniffer using mikrotik and send the stream to a linux box for further processing. Idea is to find stolen items, even if they are not registered to our access points.

I managed to stream to wireshark, no problem at all, but that does not solve my problem.
Ultimately I need to "log" filtered traffic down to mysql database for further processing, in real time, or almost real time.

I tried trafr which seems to be able get the stream out, but it immediate exits after receiving the first packages of data from mikrotik sniffer stream.

Staring trafr:
[root@lina ~]# ./trafr -s | tcpdump -r - -n
reading from file -, link-type EN10MB (Ethernet)

It looks fine!
Now start the wireless sniffer in mikrotik, and trafr just exits...
[root@lina ~]#

Hmmm....

Anyone who know what is problem with trafr, maybe it was not designed for wireless sniffing, only ethernet who knows ?

Is there another linux "server" that can receive the stream correctly and remove the encapsulating TZSP and log it to a file or a socket in a way. Can tcpdump do such magics or tshark/wireshark ?

tatsugot · Wed Aug 24, 2016 3:23 pm

I am trying to do something similar and facing same problem , what did you do?

Sob · Thu Aug 25, 2016 3:45 pm

Another program that can receive TZSP is tzsp2pcap.

jo2jo · Sat Nov 26, 2016 7:38 am

hey, look into this:

https://gist.github.com/jabberd/b9d6a29098a5b8f1ee45

The last step allowed me to convert tzsp captures (streaming from a mikrotik doing a streaming wireless sniff to a machine running wireshark/tcpdump , and capturing on its eth interface ) into .cap files that a fully readable by all apps.

thanks to the author of the github doc/how to, and to the author of "bittwiste" app (http://bittwist.sourceforge.net/)
and mikrotik!
(prior to finding this doc, i had spent nearly 12 hours trying to strip out the tzsp data manually from my captures via various methods, inculding using bittwiste (i was leaving out the "-M 105" option), unsuccessfully too....

)

edit: incase that github file disappears one day, here is the command to use with bittwiste (note the "e" there are 2 apps , bittwist and bittwiste )

1. Set up streaming server:
/interface wireless sniffer set streaming-server=X.X.X.X
/interface wireless sniffer set streaming-enabled=yes
/interface wireless sniffer set multiple-channels=yes

2. Set up scan list or specific channel(s) (frequencies in MHz):
/interface wireless set scan-list=default

3. Start up the sniffer:
/interface wireless sniffer sniff interface=wlan1

4. Catch the traffic at X.X.X.X with tcpdump:
tcpdump -i eth0 -w in.pcap

You can also use trafr or wireshark for this purpose.

5. Convert in.pcap into usable format:
bittwiste -M 105 -I in.pcap -O out.pcap -D 1-63

-M 105 — IEEE 802.11
-D 1-63 — remove leading TZSP headers

source: user "jabberd"
https://gist.github.com/jabberd/b9d6a29098a5b8f1ee45

jabberd · Tue Feb 28, 2017 2:17 pm

The gist mentioned above has been updated (e.g. listening to UDP 37008 explicitly, not all the interface traffic, and a note on Ethernet TZSP conversion).

R1CH · Wed Mar 01, 2017 1:41 am

I made a quick fork of tzsp2pcap that adds a fake radiotap header and uses DLT_IEEE802_11_RADIO link layer type. This makes the output immediately usable in tcpdump, aircrack-ng, etc.

https://github.com/notr1ch/tzsp2pcap

wireless sniffer streaming to a server

wireless sniffer streaming to a server

Re: wireless sniffer streaming to a server

Re: wireless sniffer streaming to a server

Re: wireless sniffer streaming to a server

Re: wireless sniffer streaming to a server

Re: wireless sniffer streaming to a server

Who is online