抓包笔记
本文将阐述抓包的原理、实现和技巧,并对 Wi-Fi 抓包进行侧重说明。
待处理
完成 sniffer_wireshark 文档
完成 sniffer_hub_switch 文档
完成 sniffer_80211 文档
参考资料
Radiotap is a de facto standard for 802.11 frame injection and reception
PCAP next generation file format specification
Npcap/WiFi adapters
常春藤钟声行动
https://www.navalorder.org/national-history-day-winner-2021-operation-ivy-bells https://en.wikipedia.org/wiki/Operation_Ivy_Bells
网络抓包实现
tcpdump 使用
wireshark 使用
远程抓包
抓包设备
Wi-Fi 抓包
取消 NetworkManager 管理
桌面版本的 Linux 系统大多使用 NetworkManager 管理网络,在网络抓包时,我们的临时修改会被重置,为了避免干扰,应当将抓包网卡从 NetworkManager 中移除。
nmcli 命令行工具可以控制 NetworkManager 并显示网络状态,在本文将用于管理接口。
nmcli device status
enp0s3 ethernet connected Wired connection 1
lxcbr0 bridge connected (externally) lxcbr0
lo loopback unmanaged --
nmcli device set lxcbr0 managed no # 将 lxcbr0 移除管理
nmcli device set lxcbr0 managed yes # 将 lxcbr0 加入管理
关闭系统 wpa_supplicant 和 hostapd
The sudo systemctl disable wpa_supplicant + sudo systemctl stop wpa_supplicant will ONLY temporarily disable wpa_supplicant service until the network manager restarts and/or the system reboots.
So, to correctly and/or completely disable the wpa_supplicant service from running again in the future even after the network manager restarts and/or the system reboots is to mask the service, i.e.
systemctl mask wpa_supplicant.service
etc., as pointed out in this article. This will create a symbolic file
/etc/systemd/system/wpa_supplicant.service → /dev/null
pcapng 格式
https://pcapng.com/ https://www.ietf.org/archive/id/draft-tuexen-opsawg-pcapng-05.html https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-pcap