monitor mode

slikmik · Tue Aug 29, 2017 6:31 pm

hi all
the router we are using is the rb951ui-2hnd
what we are looking at doing is to setup a router either the one in venue or a separate one to monitor mac addresses of devices in venue then upload them to a URL of our choice.
googled but they all seem to point to wireless sniffer is this correct?
but then we would need to know how to forward to a server

thank you in advance

doneware · Wed Aug 30, 2017 12:04 pm

start the sniffer on the CLI to save packet (frame) headers [as you said you need mac addresses only] into a file, then you can download the file from the router or use /tool fetch to upload somewhere.
the only issue with this is that sniffer does not seem to work non-interactively. the "once" mode returns on the spot and do not collect data, whereas the other requires user interaction to stop.

the downloaded file is in pcap format:
sniff.pcap: tcpdump capture file (little-endian) - version 2.4 (802.11 with radiotap header, capture length 4096)

to enable recording data to file you should use a similar setup:

/interface wireless sniffer
set file-limit=50 file-name=sniff.pcap multiple-channels=yes only-headers=yes

50 sets the file size imit in kB. but as i said this is meant for interactive operation, and this is not good for your purposes.

the other handy way to do this is using streaming, where the captured data is sent to you using TZSP to UDP port 37008:

/interface wireless sniffer
setmultiple-channels=yes only-headers=yes streaming-enabled=yes streaming-server=your.server.ip.here

now what you receive will look like this (when decoded with wireshark):

Frame 21: 87 bytes on wire (696 bits), 87 bytes captured (696 bits)
Ethernet II, Src: Routerbo_fd:4d:ed (d4:ca:6d:fd:4d:ed), Dst: Apple_29:85:3d (a8:20:66:29:85:3d)
Internet Protocol Version 4, Src: 10.0.0.1, Dst: 10.0.2.130
User Datagram Protocol, Src Port: 52225 (52225), Dst Port: 37008 (37008)
TZSP: IEEE 802.11: Good
IEEE 802.11 Probe Response, Flags: ....R...
    Type/Subtype: Probe Response (0x0005)
    Frame Control Field: 0x5008
    .000 0000 0011 0000 = Duration: 48 microseconds
    Receiver address: LgElectr_c4:e9:cc (40:b0:fa:c4:e9:cc) 
    Destination address: LgElectr_c4:e9:cc (40:b0:fa:c4:e9:cc) <--- DST MAC
    Transmitter address: CiscoInc_26:f6:73 (cc:d5:39:26:f6:73)
    Source address: CiscoInc_26:f6:73 (cc:d5:39:26:f6:73) <--- SRC MAC
    BSS Id: CiscoInc_26:f6:73 (cc:d5:39:26:f6:73)
    .... .... .... 0000 = Fragment number: 0
    0011 1011 1101 .... = Sequence number: 957
[Malformed Packet: IEEE 802.11]

and this is going on indefinitely, until you stop the sniffer on the router. so your listener (tcpdump -n udp and port 37008, or netcat/socat) will receive the TZSP encapsulated frames. you strip off the TZSP header and there you have the wireless frames with src/dst mac addresses.

slikmik · Wed Aug 30, 2017 4:26 pm

thank you for your help we will give this a go
thank you once again

pe1chl · Wed Aug 30, 2017 4:40 pm

When you want to list MAC addresses that are used in traffic flowing across a router (not some router you connected additionally in the network)
you can get the ARP table on a regular basis and collect the info from there.
This can be done in a script on the router or even using SNMP from another system that has SNMP access to the router.
I have been doing that on networks for a long time, also collecting switch forwarding tables so I get a nice overview of what systems (IP/MAC) are on
the network, on what switchport they are connected, when they were last seen, etc.

slikmik · Thu Aug 31, 2017 12:02 pm

thank you for your replies will give them both ago

monitor mode

monitor mode

Re: monitor mode

Re: monitor mode

Re: monitor mode

Re: monitor mode

Who is online