Replies: 4 comments 6 replies
-
Here is an example how to filter target AP by wlan addr3 and to allow all PROBEREQUEST frames (directed and undirected) from CLIENTs: |
Beta Was this translation helpful? Give feedback.
-
Here is an example how to filter out packets greater than n bytes. |
Beta Was this translation helpful? Give feedback.
-
Here is an example how to filter unwanted ACK and CTS frames: |
Beta Was this translation helpful? Give feedback.
-
Starting with this commit I added a new option to hcxlabtool:
This increase the compatibility with Linux BPF tools, bcc, bcc-tools and more. The new option in detail:
This is the output in tcpdump style.
This is C style and can be directly added to own C projects:
An example how to use that code is here: This is ASM style (useful for debug purpose):
This is bpf_dbg style. The code can be inserted directly into debugger:
This is a powerful instrument to identify problems inside your BPF. Option 2, option 3 and option 4 are "royal class" and definitely nothing for newbies. |
Beta Was this translation helpful? Give feedback.
-
As described in earlier comments, the BPF is the most powerful (and fast) filter that "lives" in the Linux kernel.
It is possible to filter nearly everything by advanced filter code.
I started this discussion to publish some advanced BPF solutions here.
A MAC address (six bytes) consists of two parts, the OUI (first three bytes) and the NIC (last three bytes).
Sometimes you need to filter by OUI instead of the entire MAC address.
Here is an example how to filter wlan addr3 by OUI:
entire MAC ADDRESS: 112233445566
OUI: 112233
NIC: 445566
$ hcxdumptool --bpfc="wlan[16:2] == 0x1122 && wlan[18:1] == 0x33" > attack_oui.bpf
Here is an example how to filter wlan addr2 by OUI:
entire MAC ADDRESS: 112233445566
OUI: 112233
NIC: 445566
$ hcxdumptool --bpfc="wlan[10:2] == 0x1122 && wlan[12:1] == 0x33" > attack_oui.bpf
Here is an example how to filter wlan addr1 by OUI:
entire MAC ADDRESS: 112233445566
OUI: 112233
NIC: 445566
$ hcxdumptool --bpfc="wlan[4:2] == 0x1122 && wlan[6:1] == 0x33" > attack_oui.bpf
Beside hcxdumptool/hcxlabtool all this filters can be tested on the fly by tshark:
To monitor the filter on the fly it is possible to run hcxdumptool/hcxlabtool and tshark on the same interface:
open 2 terminals
in terminal 1
build BPF
$ hcxdumptool --bpfc="wlan[16:2] == 0x1122 && wlan[18:1] == 0x33" > attack_oui.bpf
run the attack
$ sudo hcxdumptool -i INTERFACE_NAME --bpf=attack_oui.bpf --rds=1
in terminal 2
run tshark to monitor the filter on the fly:
$ tshark -i INTERFACE_NAME -f "wlan[16:2] == 0x1122 && wlan[18:1] == 0x33"
or
store the entire filtered traffic to additional pcapng file:
$ tshark -i INTERFACE_NAME -f "wlan[16:2] == 0x1122 && wlan[18:1] == 0x33"
Beta Was this translation helpful? Give feedback.
All reactions