抓包工具： wireshark and omnipeek

流承钧

2017-08-09

关注关注

【常用过滤器】

wireshark捕捉过滤器：

参考：

http://www.tcpdump.org/manpages/pcap-filter.7.html

https://wiki.wireshark.org/CaptureFilters

在捕捉过滤器中，fddi、tr（TokenRing）、wlan是ether的别名。

typemtgsubtype[assoc-req,assoc-resp,reassoc-req,reassoc-resp,probe-req,probe-resp,beacon,atim,disassoc,authanddeauth]

typectlsubtype[rts,cts,ack...]

typedatasubtype[data,qos-data,...]

etherproto[ip,ip6,arp,rarp,atalk,aarp,decnet,sca,lat,mopdl,moprc,iso,stp,ipx,ornetbeui]

etherproto0x888e

ethersrc11:22:33:44:55:66andetherdstAA:BB:CC:DD:EE:FF

wlanaddr111:22:33:44:55:66

wlanaddr2AA:BB:CC:DD:EE:FF

tcpport23andnotsrchost10.0.0.5

exprrelopexpr---proto[expr:size]---protoisoneofether,fddi,tr,wlan,ppp,slip,link,ip,arp,rarp,tcp,udp,icmp,ip6orradio,andindicatestheprotocollayerfortheindexoperation.(ether,fddi,wlan,tr,ppp,slipandlinkallrefertothelinklayer.radioreferstothe"radioheader"addedtosome802.11captures.)---eg.ip[6:2]&0x1fff=0

RXMAC----------AA:AA:AA:AA:AA:AA

TXDevMAC----BB:BB:BB:BB:BB:BB

TXP2PMAC----CC:CC:CC:CC:CC:CC

所有的包：

(typectl&&(wlanaddr1AA:AA:AA:AA:AA:AA||wlanaddr1BB:BB:BB:BB:BB:BB||wlanaddr1CC:CC:CC:CC:CC:CC))||

(typedata&&(wlanaddr1AA:AA:AA:AA:AA:AA||wlanaddr1CC:CC:CC:CC:CC:CC))||

(typemgt&&(

(wlanaddr1AA:AA:AA:AA:AA:AA&&(wlanaddr2BB:BB:BB:BB:BB:BB||wlanaddr2CC:CC:CC:CC:CC:CC))||

(wlanaddr2AA:AA:AA:AA:AA:AA&&(wlanaddr1BB:BB:BB:BB:BB:BB||wlanaddr1CC:CC:CC:CC:CC:CC))||

(wlanaddr1FF:FF:FF:FF:FF:FF&&(wlanaddr2AA:AA:AA:AA:AA:AA||wlanaddr2BB:BB:BB:BB:BB:BB||wlanaddr2CC:CC:CC:CC:CC:CC))

))

关键包：

(etherproto0x888e&&(wlanaddr1AA:AA:AA:AA:AA:AA||wlanaddr1CC:CC:CC:CC:CC:CC))||

(typemgt&&(

(wlanaddr1AA:AA:AA:AA:AA:AA&&(wlanaddr2BB:BB:BB:BB:BB:BB||wlanaddr2CC:CC:CC:CC:CC:CC))||

(wlanaddr2AA:AA:AA:AA:AA:AA&&(wlanaddr1BB:BB:BB:BB:BB:BB||wlanaddr1CC:CC:CC:CC:CC:CC))

))

wireshark显式过滤器：

参考：

https://wiki.wireshark.org/DisplayFilters

https://www.wireshark.org/docs/dfref/

https://www.wireshark.org/docs/dfref/w/wlan.html

eth.addr==AA:BB:CC:DD:EE:FF

wlan.addr==AA:BB:CC:DD:EE:FF

wlan.fc.type==0//managementframe

wlan.fc.type==1//controlframe

wlan.fc.type==2//dataframe

wlan.fc.subtype==4

wlan.fc.type_subtype==0x00//mgtassocreq

wlan.fc.type_subtype==0x01//mgtassocrsp

wlan.fc.type_subtype==0x04//mgtprobereq

wlan.fc.type_subtype==0x05//mgtprobersp

wlan.fc.type_subtype==0x08//mgtBeacon

wlan.fc.type_subtype==0x0A//mgtDisassoc

wlan.fc.type_subtype==0x0B//mgtAuth

wlan.fc.type_subtype==0x0C//mgtDeauth

wlan.fc.type_subtype==0x0D//mgtAction

wlan.fc.type_subtype==0x0E//mgtActionNoAck

wlan.ta==AA:BB:CC:DD:EE:FF

wlan.ra==AA:BB:CC:DD:EE:FF

wlan.da==AA:BB:CC:DD:EE:FF

wlan.addr==AA:BB:CC:DD:EE:FF

wlan.addrcontainsAA:BB:CC

ip.addr==1.2.3.4

tcp.portin{804438080}

tcp.port==80||tcp.port==443||tcp.port==8080

wlantypeandsubtype:

00 Management 0000 Association request  
00 Management 0001 Association response  
00 Management 0010 Reassociation request  
00 Management 0011 Reassociation response  
00 Management <strong>0100 Probe request</strong>  
00 Management <strong>0101 Probe response</strong>  
00 Management 0110 Timing Advertisement  
00 Management 0111 Reserved  
00 Management <strong>1000 Beacon</strong>  
00 Management 1001 ATIM  
00 Management 1010 Disassociation  
00 Management 1011 Authentication  
00 Management 1100 Deauthentication  
00 Management <strong>1101 Action</strong>  
00 Management 1110 Action No Ack  
00 Management 1111 Reserved  
  
01 Control 0000–0110 Reserved  
01 Control 0111 Control Wrapper  
01 Control 1000 Block Ack Request (BlockAckReq)  
01 Control 1001 Block Ack (BlockAck)  
01 Control 1010 PS-Poll  
01 Control <strong>1011 RTS</strong>  
01 Control <strong>1100 CT</strong>S  
01 Control 1101 ACK  
01 Control 1110 CF-End  
01 Control 1111 CF-End + CF-Ack  
  
10 Data 0000 Data  
10 Data 0001 Data + CF-Ack  
10 Data 0010 Data + CF-Poll  
10 Data 0011 Data + CF-Ack + CF-Poll  
10 Data 0100 Null (no data)  
10 Data 0101 CF-Ack (no data)  
10 Data 0110 CF-Poll (no data)  
10 Data 0111 CF-Ack + CF-Poll (no data)  
10 Data 1000 <strong>QoS Data</strong>  
10 Data 1001 QoS Data + CF-Ack  
10 Data 1010 QoS Data + CF-Poll  
10 Data 1011 QoS Data + CF-Ack + CF-Poll  
10 Data 1100 QoS Null (no data)  
10 Data 1101 Reserved  
10 Data 1110 QoS CF-Poll (no data)  
10 Data 1111 QoS CF-Ack + CF-Poll (no data)  
11 Reserved 0000–1111 Reserved

omnipeek捕捉过滤器：使用图形界面配置方式

omnipeek显式过滤器：使用图形界面配置方式或者手动输入下面的过滤器

addr(wireless:'0E:8B:FD:*:*:*')

addr(ip:'10.4.3.*')

addr(type:ip,addr1:10.4.3.1,addr2:10.5.1.1,dir:1to2)

protocol(protospec:http)

wireless(media:'802.11b',channelnum:1,encrypted:1)

pattern(ascii:'smb',case:off)

pattern(hex:FF464D50)

port(80)

channel(2)

length(min:128,max:256)

filter('SMB')

【解密】

可以使用wireshark配合airpcap抓无线数据包，也可以用omnipeek配合相应网卡D-link抓无线数据包。

抓到的包通常是加密的，wireshark可以解密WEP和WPA，omnipeek可以解密WEP、WPA和WPA2。

Wireshark解密方法：Edit->Protocols->IEEE802.11->Enabledecryption&Edit....

WiresharkRTPDecode：Analyze->DecodeAs...->RTP,Telephony->RTP->StreamAnalysis...

使用omnipeek解密的前提是要抓到EAPoL-key四次握手包。

ubuntuwifi抓包方法

sudoapt-getinstallaircrack-ng

sudoairmon-ngstartwlan011

sudoiwconfigmon0channel6

sudoairmon-ngstopmon0

参考：http://www.humbug.in/2012/wireless-sniffer-on-ubuntu-Linux-capture-analyze-network-traffic/

流承钧

0 关注 1 粉丝 0 动态

关注关注

安科网

抓包工具： wireshark and omnipeek

流承钧

流承钧

流承钧