Build Your Own 802.11 Sniffer for $50 or So

If you have a laptop, you can build a wireless 802.11a/b/g sniffer for a cost of Atheros-based wireless card (below $50 at current market prices) and waiting time to download the 700MB ISO image. It will use Ethereal as a protocol analyzer.

The net result is pretty close to the $1,500 Airopeek. The only missing feature I know is the inability to change channels and survey them from the protocol analyzer interface.

Steps to success:

• Download Knoppix ISO. Knoppix is a Linux version that can be booted off the CD, and includes Ethereal and Atheros driver. I used version 3.9; most other ones should work.  Burn the ISO image onto the CD.
• Plug the Atheros card in and boot your laptop off the CD. No "installation" is needed.
• Goto command console and switch to root:
  • > su
• Configure the Atheros driver for sniffing; use desired channel in place of 11 below.
  • # iwconfig ath0 mode monitor
  • # iwconfig ath0 channel 11 (or whatever :-)
  • # iwpriv ath0 mode 3
  • # ifconfig ath0 up
• Start Ethereal
  • # ethereal&
• Goto Edit>Preferences>Protocols>IEEE 802.11 and check the "Assume packets have FCS" box
• Select ath0 in Capture>Options
• Select Capture>Start
• Enjoy the trace!

Update from Alexey Dymchenko:

•  If you already have Linux laptop there is no need to download Knoppix CD and boot this specific version of Linux: quite old Fedora Core 5 with quite recent Atheros madwifi driver (0.9.3.2) worked for me
• The way the monitor mode is enabled have been changed in the Atheros driver: you should create another virtual interface on top of the same physical wifi adapter and use it for capturing traffic, while the primary interface still could be used in "normal" mode:
  

# create and start normal interface
iwconfig ath0 essid dlink_test
ifconfig ath0 up
# create and start monitor interface
wlanconfig ath1 create wlandev wifi0 wlanmode monitor
ifconfig ath1 up
# enable additional RF information (not sure that Atheros driver emulates "prism2" headers well)
echo '802' > /proc/sys/net/ath1/dev_type

• Also, in this case, the Edit>Preferences>Protocols>IEEE 802.11 "Assume packets have FCS" should be left unchecked to avoid parsing problems in the Ethereal (Version 0.99.0) causing [Malformed Packet: 802.11] display.

Other Low-Cost Wireless Sniffers

LinkFerret Network Monitor and Protocol Analyzer.

Set of monitoring utilities and packet sniffers for capture, statistical analysis, and protocol decoding. The LinkFerret network monitor is a Windows-based monitoring solution available at an affordable price.

Low-Cost Wireless Management

802.11 Network Discovery Tools

Basic open-source wireless network management tool