Packet sniffing

Tools

• Wireshark: Wireshark is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible. Wireshark provides an intuitive graphical user interface.
• tcpdump: Tcpdump is a command-line packet analyzer with features similar to Wireshark.

Kali VM network adapters

• Software running inside a virtual machine can monitor any and all traffic moving across a vSwitch when its virtual adapter is in promiscuous mode
• To enable promiscuous mode in your Kali VM's virtual eth0 adapter, use $ sudo ifconfig eth0 promisc
  • You should see a new PROMISC flag appear with the adapter when you query its settings with $ ifconfig eth0

eth0: flags=4419&lt;UP,BROADCAST,RUNNING,<b>PROMISC</b>,MULTICAST&gt;  mtu 1500
        inet 192.168.237.132  netmask 255.255.255.0  broadcast 192.168.237.255
        inet6 fe80::20c:29ff:fe06:8b7b  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:06:8b:7b  txqueuelen 1000  (Ethernet)
        RX packets 1059006  bytes 71631724 (68.3 MiB)
        RX errors 0  dropped 98  overruns 0  frame 0
        TX packets 285  bytes 46558 (45.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

• To revert back, use $ sudo ifconfig <INTERFACE> -promisc

Kali RPI4B and Wifi adapters

• The Cypress radio in the RPI4B supports monitor mode. Use airmon-ng, part of the aircrack-ng suite, to enable it.
• Check and kill off processes that might interfere with the aircrack-ng suite using, # airmon-ng check kill
• Because it conflicts with using wireless interfaces in monitor mode, kill NetworkManager using, # systemctl stop NetworkManager
• Then, setup the wireless interface in monitor mode using, # airmon-ng start wlan0 1
  • Reboot the raspberry pi to restore to normal operation

Useful sites

• Wireshark download (tool and documentation)
• Wireshark user's guide
• tcpdump documentation