Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
lpetit_FTNT
Staff
Staff

Created on ‎10-05-2012 04:49 AM

Article Id 195519

Technical Note : Sniffing wireless between FortiAP and wireless Client before 5.0

Purpose
From version 5.0, the FortiAP has the feature to sniff wireless traffic using its radio.  This feature is not present in version 4.0 MR3.  This article provides a workaround to this and explains how to sniff traffic in the air using wireshark.

Scope

FortiAP running 4.0 MR3.


Expectations, Requirements
In some cases, to troubleshoot network issue, a wireless trace is required.
It is possible to sniff wireless traffic using a Linux machine with a Wireless NIC card.
Wireshark must be installed on the Linux PC.
 
On Ubuntu distribution, run the following command:
sudo apt-get install wireshark
The NIC card can be set to monitor mode using the airmon-ng
 
Here are the commands and options to use airmon-ng:
 
airmon-ng <start|stop> <interface> [channel]

<start|stop> indicates if you wish to start or stop the interface. (Mandatory)
<interface> specifies the interface. (Mandatory)
[channel] optionally set the card to a specific channel.

To see the current status of the wireless NIC card, the command iwconfig can be used

root@root:~# iwconfig

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11bgn  ESSID:"SSID12" 

          Mode:Managed  Frequency:2.412 GHz  Access Point: Not-Associated  

          Tx-Power=20 dBm  

          Retry  long limit:7   RTS thr=2347 B   Fragment thr:off

          Encryption key:off

          Power Management:off
At this stage the wireless NIC card is not in monitor mode.
To start Monitor mode on the Wireless NIC card:
root@root:~# airmon-ng start wlan0

Interface Chipset  Driver

wlan0  Unknown  rtl8192ce - [phy0]

    (monitor mode enabled on mon0)
Monitor mode has now been enabled on wlan0 on mon0
 
To verify that mon0 is in monitor mode, use iwconfig
 
root@root:~# iwconfig

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11bgn  ESSID:"SSID12" 

          Mode:Managed  Frequency:2.412 GHz  Access Point: Not-Associated  

          Tx-Power=20 dBm  

          Retry  long limit:7   RTS thr=2347 B   Fragment thr:off

          Encryption key:off

          Power Management:off

         

mon0      IEEE 802.11bgn  Mode:Monitor  Tx-Power=20 dBm  

          Retry  long limit:7   RTS thr=2347 B   Fragment thr:off

          Power Management:on
Mode is set to Monitor
 
Wireshark can now be started. Sniffing on interface mon0 will capture wireless traffic.
 
root@root:~#  wireshark &

To stop monitoring mode on the wireless NIC card, the following command can be used:

root@root:~#   airmon-ng stop wlan0

It can be verified using iwconfig command:

root@root:~# iwconfig

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11bgn  ESSID:"SSID12" 

          Mode:Managed  Frequency:2.412 GHz  Access Point: Not-Associated  

          Tx-Power=20 dBm  

          Retry  long limit:7   RTS thr=2347 B   Fragment thr:off

          Encryption key:off

          Power Management:off

        

 


Labels:
2554
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.