I've been using tcpdump (version 4.1.1) to attempt to capture wireless frames from a monitor mode interface set up by airmon-ng. I say "attempt" because so far nothing has been happening. It's very odd:
tcpdump -i mon0
The above command works fine. I see all the beacons and probe requests and every other frame imaginable displayed across my screen. However, when I attempt to write the output to a capture file using
tcpdump -i mon0 -w captures.cap
absolutely nothing gets captured including layer 3 packets that contain actual data. When I kill tcpdump, it gives me
13507 packets captured
13507 packets received by filter
0 packets dropped by kernel
(13507 is an arbitrary number in this case) and a completely empty capture file.
However, when I perform capturing with tshark or wireshark on the same interface, frames are captured to files without any problems.
I would prefer to use tcpdump instead of wireshark as it doesn't have the overhead of a GUI and it has the "-z" option which allows me to take the capture file and pass it to a shell script that copies it to another computer on my network. There is no similar functionality with tshark or wireshark and I would very much like to avoid writing a program to check for the existance of a capture file.
Do I have a fundamental misunderstanding with the way tcpdump works or is there definitely something odd going on here? Is there perhaps a better way of doing what I'm doing or am I going to have to write my own libpcap-based capture program?
Have you tried airodump-ng?
Not sure if it uses libpcap as capture library, but is uses pcap file format and has many options for channel selection, bssid filtering etc.
Seems effectively something wrong. On my Ubuntu the following works well.
sudo tcpdump -w ./test.cap
Perhaps you can try
sudo tcpdump -U -w ./test.cap
JP
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With