Capture packets on 802.11 wireless networks with Linux 2.6

Date: April 11, 2010. 

---------------------------------------------------------------

1. Get an 802.11 wireless adapter that supports monitor mode. 
   Many Ralink based adapters work well in monitor mode.

2. To capture 802.11 packets, the card will not have an IP address or be associated with an Access Point.
   tcpdump will show supported datalinktypes, however, IEEE802_11_RADIO may not be listed until after 
   configuring the card for monitor mode.

	* tcpdump -i wlan0 -L

3. Bring the interface up and run iwlist to get the channel of the strongest Access Point, then take it down:

	* ifconfig wlan0 up
	* iwlist wlan0 scanning
	* ifconfig wlan0 down

4. Configure the adapter using the channel found by iwlist:

	* iwconfig wlan0 chan 6 mode monitor
	* ifconfig wlan0 up

5. In a separate terminal, run tcpdump to capture packets (first command writes to a file, second to console):

	* tcpdump -s 0 -i wlan0 -y IEEE802_11_RADIO -w $$-802_11.cap
	* tcpdump -s 0 -i wlan0 -e -vv -XX -y IEEE802_11_RADIO

copyright 2010 16Systems