Wireshark相关

Archlinux系统，安装wireshark踩坑。

Linux系统wireshark找不到网卡问题

安装好了wireshark后普通用户运行发现找不到网卡，查了相关资料说是权限不够。

系统的方法

Installation of Wireshark:
$ sudo pacman -S wireshark

If you run wireshark as a non root user at this stage, you will get
the message “No interface can be used for capturing in this system with the current configuration.”. 
The following steps will rectify this.

1. Create the wireshark group.
   $ sudo groupadd wireshark　　　　# 这一步一般不需要，因为在安装的时候默认创建了这个用户组。

2. Add your username to the wireshark group
   $ sudo usermod -a -G wireshark YOUR_USER_NAME

3. Change the group ownership of file dumpcap to wireshark
   $ sudo chgrp wireshark /usr/bin/dumpcap

4. Change the mode of the file dumpcap to allow execution by the group wireshark
   $ sudo chmod 750 /usr/bin/dumpcap

5. Grant capabilities with setcap, man capabilities(7), setcap(8), cap_from_text(3) for more info about what are "cap_net_raw", "cap_net_admin" and "eip". Anyway, after we grant the capabilities, the dump can perform various network-related operations, use RAW and PACKET sockets; bind to any address for transparent proxying.
   $ sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

6. Verify the change
   $ sudo getcap /usr/bin/dumpcap
   Output should be like below:
   $ /usr/bin/dumpcap = cap_net_admin,cap_net_raw=eip

7. At this point, you will need to log out, then back into manjaro

目前用的是manjaro，其他的发行版也是类似的操作思路。

简易的方法

gksu -u root /usr/bin/wireshark sudo wireshark

配置

显示格式调整

调整时间格式：View->Time DIsplay Format

Wireshark抓802.11报文

windows系统需要借助特殊网卡才能抓空口包，linux系统可以通过配置抓到空口包。

archlinux： iwconfig：extra/wireless_tools airmon-ng：community/aircrack-ng debian系： sudo apt-get install aircrack-ng

将网卡切换成monitor模式，有多种方式：

• iwconfig：会被Network Manager改成managed模式
• airmon-ng：一句命令即可
• iw：iwconfig的替换

新增了一个虚拟网卡接口 mon0 ，并将 mon0 设置为监听模式。这个命令和上面的 airmon-ng 的效果几乎是一样的，wlan0 仍然保持 managed 模式不变，新增的 mon0 运行在 monitor 模式下。虚拟接口新增之后记得要使用 ifconfig up 启用起来，再通过下面的命令设置频率。

# iw dev wlan0 interface add mon0 type monitor

# ifconfig mon0 up

# iw dev mon0 set freq 2437

https://cstriker1407.info/blog/ubuntu-airmon-ng-wireshark-802-11/

使用airmon-ng切换为monitor模式：

# 首先查看下当前无线网卡
iwconfig
# 切换为monitor模式
sudo airmon-ng start wlan0
# 再次查看，切换成功后会生成一个 mon的网卡，wireshark监听该网卡即可（混淆模式）
iwconfig
#监听完成之后，关闭monitor模式，注意这里关闭的是mon0
sudo airmon-ng stop mon0
#如果网络有问题，可以尝试重启下服务，或者直接重启，有些系统使用systemctl
service NetworkManager restart 

使用iwconfig来切换为monitor模式：

iwconfig wlan0 #首先看下当前网卡的模式，这里为managed模式
sudo ifconfig wlan0 down #先停止wlan0
sudo iwconfig wlan0 mode monitor  #将网卡切为monitor模式
sudo ifconfig wlan0 up #启动wlan0
iwconfig wlan0 #这里可以看到已经切换为monitor模式了，这里就可以使用wireshark抓包了。

sudo ifconfig wlan0 down #先停止
sudo iwconfig wlan0 mode managed #切换
sudo ifconfig wlan0 up #再启动
service NetworkManager restart #如果还是无法上网，可以尝试重启下服务

https://www.zhihu.com/question/28838507

Wireshark 802.11过滤规则

https://arubase.club/archives/6471

一些比较常用的条件表达式

wlan.da - Destination address (Destination Hardware Address)
wlan.sa - Source address (Source Hardware Address)
wlan.addr - Source or Destination address (Source or Destination Hardware Address)
wlan.ra - Recevier address (Receiving Station Hardware Address)
wlan.ta - Transmitter address (Transmitting Hardware Address)
wlan.bssid - BSS id (Basic Service Set ID)
wlan_mgt.ssid - SSID (Indicates the identity of an ESS or IBSS)
wlan.fc.type_subtype - Type/Subtype (Type and subtype combined (first type: type, second type:subtype))

wireshark 802.11 WLAN无线报文分析常用技巧总结：https://blog.csdn.net/neal_hddnwpu/article/details/82586235

实战无线网络分析（篇一）无线监听：https://www.aneasystone.com/archives/2016/08/wireless-analysis-one-monitoring.html

Linux下网卡的混杂模式浅谈：https://www.cnblogs.com/gageshen/articles/12233840.html

Wireshark抓包分析WLAN连接过程：https://blog.csdn.net/random_run/article/details/115223124