CODEWITHSUNDEEP
capturemonitorwirelessmodepcap
Nishant Kumar
Nishant Kumar

Reputation: 21

wireless sniffing using pcap, MAC address filter

I am writing a wireless packet sniffer program in C. I have set my wireless interface in monitor mode using airmon-ng, and now i am sniffing on the interface "mon0". I am using linux(ubuntu 10.10).

I want to set MAC address as the filter for the packets. I have done it as shown below, but it says "mon0 no IPV4 address assigned"

 pcap_lookupnet(dev,&net,&mask,errbuf);
    printf("%s\n",errbuf);
    /* Open the session in promiscuous mode */
    handle = pcap_open_live(dev, BUFSIZ, 1, 1000, errbuf);
    if (handle == NULL) {
        printf("Couldn't open device %s: %s\n", dev, errbuf);
        return 2;
    }
    if(pcap_compile(handle,&fp,argv[0],0,net)==-1){
        fprintf(stderr,"Error calling pcap_compile\n");exit(1);}
    if(pcap_setfilter(handle,&fp) == -1){
        fprintf(stderr,"Error setting filter\n");exit(1);}
    /* The call pcap_loop() and pass our callback function */
    pcap_loop(handle, 10, my_callback, NULL);

Please help me, how i can set the filter for MAC address??

Upvotes: 0

Views: 5315

Answers (1)

user862787
user862787

Reputation:

"no IPV4 address assigned" is an error from pcap_lookupnet(). All it means is that the network interface on which you're trying to capture does not have an IPv4 address assigned to it. What airmon-ng did was to create a "monitor" interface for the Wi-Fi adapter; the regular network interface for the adapter might have an IP address assigned to it, but the monitor interface won't have one.

The only place where the IP address matters is for ip broadcast filter expressions; if you're not filtering for IPv4 broadcast addresses, which you probably won't be, there's no need to get the IPv4 address. To quote the pcap_compile() man page:

If the netmask of the network on which packets are being captured isn't known to the program, or if packets are being captured on the Linux "any" pseudo-interface that can capture on more than one network, a value of 0 can be supplied; tests for IPv4 broadcast addreses won't be done correctly, but all other tests in the filter program will be OK.

so just pass 0 as the "net" argument to pcap_compile().

If you want to search for packets being sent to a particular MAC address, you can just use wlan dst XX:XX:XX:XX:XX:XX; if you want to search for packets being sent from a particular MAC address, you can just use wlan src XX:XX:XX:XX:XX:XX; if you want to search for packets being sent to or from a particular MAC address, you can just use wlan host XX:XX:XX:XX:XX:XX. If you care about the access point address, rather than the station address, you'll need to use filters such as wlan ra XX:XX:XX:XX:XX:XX or wlan ta XX:XX:XX:XX:XX:XX, at least with newer versions of libpcap. (See the pcap-filter man page or, if you don't have a pcap-filter man page, the tcpdump man page for details.)

Upvotes: 5

Related Questions