Getting Practical About Wireless Security, Part 1: Building a Wireless Sniffer with Perl

By Peter Seebach
2005-04-13


Scanning for Networks
On the first pass, I'll simply build a program that scans for and lists wireless networks. This only shows networks that are broadcasting their identity to the world. The command for this, in NetBSD, is wiconfig interface -D. Because the interface might change from system to system, the application reads that information from a configuration file. The user is presented with a list of the names of found wireless networks, and selects one from the list; then the details of that network are displayed.

To do this, the program runs wiconfig, using the -D option, and parses the output. The results are stored in an array of references to hashes. Each member of the array holds the scan results for a single access point; each hash contains a list of name/value pairs, where the name is the heading. The output from wiconfig looks like Listing 1:

Listing 1. Network scan results

ap[0]:

        ScanReason:                     [ Inquiry request from host ]

        netname (SSID):                 [ testnet ]

        BSSID:                          [ 00:02:dd:01:5a:44]

        Channel:                        [ 3 ]

        Quality/Signal/Noise [signal]:  [ 57 / 59 / 2 ]

                                [dBm]:  [ 57 / -90 / -147 ]

        BSS Beacon Interval [msec]:     [ 100 ]

        Capinfo:                        [ ESS ]

        DataRate [Mbps]:                [ 1 ]

The code to parse this is fairly simple. Listing 2 illustrates the main components of the function; there's a little setup work beforehand, but this is the interesting part.

Listing 2. Parsing network scan results

 

while (<WICONFIG>) {

	chomp;

	s/^[    ]*//;

	goto found_ap if /^ap/;

	($name, $value) = split(/:[     ]+/, $_, 2);

	$value =~ s/^\[ *//;

	$value =~ s/ *\]$//;

	$x{$name} = $value;

	print STDERR "$n: $name -> '$value'\n" if $debug > 1;

}

$nets[$n] = \%x;

In the resulting hash, the name netname (SSID) is associated with the value testnet. The long names are difficult to work with, but renaming them would just add another layer of confusion. (It would be worth doing, perhaps, given that the value named [dbm] makes no sense if you don't recognize it as a subheading of Quality/Signal/Noise.)

Scans take a while, and monopolize the network interface, so it's not reasonable to run them constantly. One solution to this problem is to run a network scan only when trying to pick a network, then look at the statistics for that individual network.

Because I am a somewhat lazy programmer, I use a status variable to keep track of the program state. The status variable tells the program what to do when it refreshes the display, and also what to do when it runs through the main loop. The program displays the current status at the top of the screen, general instructions at the bottom of the screen, and an error message (if there is one) one line above the general instructions.

The initial status, "About to probe network interfaces," exists only to make sure something is displayed before the program starts doing interesting things. The first time it goes through the input loop, the program just changes its state to "Probing network interfaces." (It doesn't need any input to do this.) The next time it comes through, it displays that state, then runs the routine that actually reads the wiconfig output.

After that routine is finished scanning available access points, it changes status to "Found n networks," where n is the number of interfaces found. Of course, that only happens if there actually are network interfaces found. If there are no networks, the status is changed to "No public networks in range."

Tutorial Pages:
» A Lightweight Program can Illustrate Wireless Security Issues and Techniques
» Rough Consensus and Running Code
» Setting up the System
» Scanning for Networks
» Looking at a Specific Network
» Access to the Program
» Wrapping Things Up
» Resources


First published by IBM DeveloperWorks

Related Tutorials: » Secrets of the Wireless Elite: Alexei Polyakov » Linux Wireless Networking » A New Strategy of Language Pack Management for Wireless Apps » Open Source Wireless Tools Emerge » Challenges and Opportunities in Mobile Games » Running Linux on an iPAQ