how to use packets sniffed with scapy

0
votes

So my question is , I have been trying to work with scapy by sniffing packets going in and out of my computer using a simple sniff() and print pkt.summary() everything is going well then I wanted to go a bit further so I put my wifi adapter in to monitor mode to catch other packets only that the packets I am catching seem to be different , I can not get any info from them , how can these packets be used and can I catch TCP/UDP packets being sent from other devices like I did when I was sniffing my computers packets ? I am a bit new to all this packet monitoring and its usage so please go easy.

what i get when i print pkt.summary() and pkt.show() :

    RadioTap / 802.11 Management 4L 98:0c:82:4c:XX:XX > ff:ff:ff:ff:ff:ff / Dot11ProbeReq / SSID='TELENETHOMESPOT' / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt
    ###[ RadioTap dummy ]###
    version   = 0
    pad       = 0
    len       = 18
    present   = Flags+Rate+Channel+dBm_AntSignal+Antenna+b14
    notdecoded= '\x10\x02\x99\t\xa0\x00\xd3\x05\x00\x00'
    ###[ 802.11 ]###
    subtype   = 4L
    type      = Management
    proto     = 0L
    FCfield   = 
    ID        = 0
    addr1     = ff:ff:ff:ff:ff:ff
    addr2     = 98:0c:82:4c:XX:XX
    addr3     = ff:ff:ff:ff:ff:ff
    SC        = 55360
    addr4     = None
    ###[ 802.11 Probe Request ]###
    ###[ 802.11 Information Element ]###
           ID        = SSID
           len       = 15
           info      = 'TELENETHOMESPOT'
    ###[ 802.11 Information Element ]###
              ID        = Rates
              len       = 4
              info      = '\x02\x04\x0b\x16'
    ###[ 802.11 Information Element ]###
                 ID        = ESRates
                 len       = 8
                 info      = '\x0c\x12\x18$0H`l'
    ###[ 802.11 Information Element ]###
                    ID        = 45
                    len       = 26
                    info      = '\x0c\x10\x19\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
###[ 802.11 Information Element ]###
                       ID        = DSset
                       len       = 1
                       info      = '\x0b'
    ###[ 802.11 Information Element ]###
                          ID        = vendor
                          len       = 9
                          info      = '\x00\x10\x18\x02\x00\x00\x00\x00\x00'
    ###[ 802.11 Information Element ]###
                             ID        = vendor
                             len       = 30
                             info      = '\x00\x90L3\x0c\x10\x19\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
    ###[ 802.11 Information Element ]###
                                ID        = 138
                                len       = 37
                                info      = '\xf5x'
1
python-2.7scapypacket-capturepacket-snifferswifi
Do you have WPA encryption on the wireless network you are trying to capture packets from? That would prevent you from seeing anything useful in packets from other devicesgsp8181
@gsp8181 yes but I have the key but i do not know how to decrypy the data from these packages, I have also tried this on a hotspot and the packets I am getting are the same i will update the question with an exemple in a sec.Amro elaswar
@gsp8181 I have added an exemple of the packet I am collecting from a hotspotAmro elaswar

1 Answers

0
votes

That packet is a type of 802.11 management frame, more specifically a Probe response frame, it is very similar to a beacon frame. When a wireless user wishes to know information about the access point, they send a probe request, and the access point may send a probe response back. It gives information such as SSID, rates, capabilities and other parameters.

If you are trying to decrypt WPA encrypted traffic, it gets a little harder. All traffic by users associated by the AP will be scrambled. If you wish to decrypt it, save the packet to a .pcap file and use a tool such as airdecap-ng on the file.

If you are associated with the wireless network, it would be far easier to perform an ARP poisoning attack using a program such as ettercap. This will trick the other computers on the network to forwarding traffic through your computer, which can then be inspected as if it was going through your own computer. (Make sure you have permission from the other users if there is any!)