I try to setup a wireless sniffer using mikrotik and send the stream to a linux box for further processing. Idea is to find stolen items, even if they are not registered to our access points.
I managed to stream to wireshark, no problem at all, but that does not solve my problem.
Ultimately I need to “log” filtered traffic down to mysql database for further processing, in real time, or almost real time.
I tried trafr which seems to be able get the stream out, but it immediate exits after receiving the first packages of data from mikrotik sniffer stream.
It looks fine!
Now start the wireless sniffer in mikrotik, and trafr just exits…
[root@lina ~]#
Hmmm…
Anyone who know what is problem with trafr, maybe it was not designed for wireless sniffing, only ethernet who knows ?
Is there another linux “server” that can receive the stream correctly and remove the encapsulating TZSP and log it to a file or a socket in a way. Can tcpdump do such magics or tshark/wireshark ?
The last step allowed me to convert tzsp captures (streaming from a mikrotik doing a streaming wireless sniff to a machine running wireshark/tcpdump , and capturing on its eth interface ) into .cap files that a fully readable by all apps.
thanks to the author of the github doc/how to, and to the author of “bittwiste” app (http://bittwist.sourceforge.net/)
and mikrotik!
(prior to finding this doc, i had spent nearly 12 hours trying to strip out the tzsp data manually from my captures via various methods, inculding using bittwiste (i was leaving out the “-M 105” option), unsuccessfully too… )
edit: incase that github file disappears one day, here is the command to use with bittwiste (note the “e” there are 2 apps , bittwist and bittwiste )
1. Set up streaming server:
/interface wireless sniffer set streaming-server=X.X.X.X
/interface wireless sniffer set streaming-enabled=yes
/interface wireless sniffer set multiple-channels=yes
2. Set up scan list or specific channel(s) (frequencies in MHz):
/interface wireless set scan-list=default
3. Start up the sniffer:
/interface wireless sniffer sniff interface=wlan1
4. Catch the traffic at X.X.X.X with tcpdump:
tcpdump -i eth0 -w in.pcap
You can also use trafr or wireshark for this purpose.
5. Convert in.pcap into usable format:
bittwiste -M 105 -I in.pcap -O out.pcap -D 1-63
-M 105 — IEEE 802.11
-D 1-63 — remove leading TZSP headers
The gist mentioned above has been updated (e.g. listening to UDP 37008 explicitly, not all the interface traffic, and a note on Ethernet TZSP conversion).
I made a quick fork of tzsp2pcap that adds a fake radiotap header and uses DLT_IEEE802_11_RADIO link layer type. This makes the output immediately usable in tcpdump, aircrack-ng, etc.
)