locked
Monitor Mode and Sniffing Broadcast Packets RRS feed

  • Question

  • Hello,

    I am interested in sniffing probe request WiFi frame for a project based on tracking people location by detecting their WiFi enabled electronic devices. To do this, I am using the API provided by Microsoft Network Monitor 3.4

    Currently I am able to see these types of frames (probe request) and filter for them with "WiFi.FrameControl.SubType ==0x04".  My question then is what is the monitor mode used for? I thought I would need to enable monitor mode to see these types of packets? When I enable monitor mode I can see additional frame types such as "ACK" but I am not interested in these types of frames at all. 

    Another question I have is if I need to enable monitor mode what API do I need to use? The NDIS API? WlanSetInterface in WinAPI? If possible could you provide examples?  I am working in C#. 

    Finally, I noticed on an older/slower machine the rate which I see parsed frames decline quite rapidly even without any filtering. Is there a way to improve the amount of probe request frames I capture?

    This is a subject I am not familiar with in general and I would appreciate all the help. Thank you.




    • Edited by Sitha Puth Wednesday, July 8, 2015 1:20 PM
    Wednesday, July 8, 2015 1:18 PM

Answers

  • Unfortunately I'm not an expert on the API and how it works. There might be a better place to post this type of question.  From what I remember, we manually had to change the channel information, so there is some call to do this, but I don't have any details past that.  Sorry for the lack of info, but perhaps a developer type forum could be more helpful.

    Paul

    • Marked as answer by Sitha Puth Friday, July 10, 2015 12:43 PM
    Thursday, July 9, 2015 9:38 PM

All replies

  • Ah actually the null frames are extremely helpful for tracking devices that are connected to a network. I would like to know how to detect these null frames by going into monitor mode. Any code example of setting my network adapter into monitor mode would be extremely helpful!
    Wednesday, July 8, 2015 7:44 PM
  • Ok, I actually figured out all the answers to the question I have above BUT the last one. Here is what I found out:

    "My question then is what is the monitor mode used for?"

    Monitor mode is used for sniffing frames that are not just broadcasts. For example, a device can be communicating with an access point. If you want to sniff those packets, you will need monitor mode.

    "Another question I have is if I need to enable monitor mode what API do I need to use?" 

    Use the Native Windows WiFi API. There is a special operation mode called "DOT11_OPERATION_MODE_NETWORK_MONITOR". You just have to find your network interface and set it to that mode using WlanSetInterface. Can't provide an code example but you can find more information on MSDN. There are examples for using WlanSetInterface in the internet. If you are using C# you will have to call C++ code or use the ManagedWiFi(?) third party library to do the P/Invoke calls for you.

    Now I have a different question. What API should I use to change WiFi channels? I know it is possible because NetworkMonitor3.4 can do it. Why does my WiFi adapter always default to scan for channel 11? What are the popular WiFi layers/channel to scan for? 



    • Edited by Sitha Puth Friday, July 10, 2015 12:43 PM
    Thursday, July 9, 2015 4:22 PM
  • Unfortunately I'm not an expert on the API and how it works. There might be a better place to post this type of question.  From what I remember, we manually had to change the channel information, so there is some call to do this, but I don't have any details past that.  Sorry for the lack of info, but perhaps a developer type forum could be more helpful.

    Paul

    • Marked as answer by Sitha Puth Friday, July 10, 2015 12:43 PM
    Thursday, July 9, 2015 9:38 PM
  • Hey Paul, thanks you so much for the reply. Your blog and your responses have been extremely helpful to me.

    I thought this is the developer forum. Where would be a better place to post this? The Native WiFi API doesn't seem to allow me to change the channel information. I been able to get the WiFi channel to change by editing the registry files but that is not truly a solution. Anything information would really help! Again, thanks so much for your reply. 

    Edit: I found out if you directly interface with the driver utilities you can set the channel/mode. However, that isn't really a solution either. 

    Edit2: Oh great, I found this: https://social.msdn.microsoft.com/Forums/en-US/e0b6b7a1-ee92-4357-9bc2-309b38a4b4fe/channel-hopping?forum=netmon . Basically it is possible but would require a great deal of work.

    Edit3: Arg, it would be so nice to have channel hopping... :(




    • Edited by Sitha Puth Friday, July 10, 2015 4:38 PM
    Friday, July 10, 2015 12:49 PM
  • The Network Monitor forums simple exist in both places because we thought both developers and SysAdmins would be interested.  And we will answer dev question about the Netmon API, but the WiFi stuff is not something our team worked on directly.

    I'm glad you found your answer, bug I know you were hoping for something more simple.  

    Paul

    Wednesday, July 15, 2015 9:46 PM
  • Hi Sitha Puth,

    Im starting a little project to capture probe request to "count" how meny people are close to certain place.
    I Just need to capture the MAC address of the device and save it to a database with the timestamp.

    How did you use the Network Monitor 3.4 API on C# ?

    Could you switch channels ?

    Thank you

    Matias
    • Edited by mmaturan Tuesday, September 29, 2015 8:52 PM
    Tuesday, September 29, 2015 3:35 PM