Targeted Packet Sniffing

Advanced Techniques in Ethical Hacking

Introduction

In network security assessment, targeted packet sniffing is a crucial technique that allows security professionals to focus on specific networks rather than capturing all surrounding network traffic. This technique is more efficient and provides detailed information about a particular target network.

Note: This guide is for educational purposes only. Always obtain proper authorization before performing security assessments on any network.

Prerequisites

Before proceeding with targeted packet sniffing, ensure you have:

  • A wireless adapter capable of monitor mode
  • Kali Linux or another penetration testing OS
  • Basic understanding of wireless networks
  • Knowledge of using airodump-ng for network discovery

Targeted Packet Sniffing with airodump-ng

While basic network scanning allows us to see all networks in range, targeted packet sniffing lets us focus on a specific network to gather more detailed information about it and its connected clients.

Step-by-Step Process

Identify Your Target Network

First, use airodump-ng to list all networks and identify your target based on BSSID, channel, and signal strength.

airodump-ng mon0

Run Targeted Capture

Once you've identified your target network, use airodump-ng with specific parameters to focus only on that network:

airodump-ng --bssid [TARGET_BSSID] --channel [CHANNEL_NUMBER] --write [FILENAME] mon0

Example:

airodump-ng --bssid 00:11:22:33:44:55 --channel 2 --write test mon0

Understand the Output

The targeted airodump-ng output now shows:

  • Upper section: Information about the target network
  • Lower section: Connected clients/devices with their MAC addresses

Analyze Captured Files

After stopping the capture (Ctrl+C), several files are created:

  • .cap - Packet capture file (main file for analysis)
  • .csv - Comma-separated values file
  • .netxml - Network XML data
  • .kismet.csv - Additional CSV format for Kismet

Note that airodump-ng automatically appends a number (e.g., -01) to these filenames.

Understanding the Captured Data

Client Information

The targeted capture reveals connected clients with details such as:

Information Description
Station MAC address of the connected device
PWR Signal strength/power level
Rate Connection speed
Lost Number of data packets lost
Frames Number of frames/packets captured
Probe Networks the device is probing/looking for

Network Packet Flow Diagram

Analyzing Captured Packets with Wireshark

Wireshark is a powerful tool for analyzing captured packet data. Here's how it helps in the targeted packet sniffing process:

Opening Capture Files in Wireshark

  1. Launch Wireshark
  2. Open the .cap file (e.g., test-01.cap)
  3. Examine the packet details

Encryption Challenge

When analyzing WPA/WPA2 encrypted networks, you'll notice that the actual packet contents appear as gibberish without the encryption key. Only metadata like MAC addresses and device manufacturers may be visible.

Information You Can Still Gather

Even with encryption, you can determine:

  • Device manufacturers (e.g., Apple, Huawei) based on MAC address OUIs
  • Number of devices connected to the network
  • Connection patterns and activity levels
  • Signal strengths indicating approximate device locations

Advanced Techniques and Next Steps

After mastering targeted packet sniffing, the next logical steps in ethical hacking include:

  1. Breaking WPA/WPA2 encryption to view packet contents
  2. Mapping all computers on the target network
  3. Gathering detailed information about network devices
  4. Performing post-connection network analysis

Important: The difference between open and secured networks is significant. With open networks, packet contents are immediately visible. With encrypted networks, you need the key to decrypt the traffic.

Key Takeaways

  • Targeted packet sniffing focuses on a specific network using the BSSID and channel parameters with airodump-ng
  • The command structure is: airodump-ng --bssid [TARGET_BSSID] --channel [CHANNEL_NUMBER] --write [FILENAME] mon0
  • Captured data packets are stored in multiple file formats including .cap files for detailed analysis
  • Encrypted networks (WPA/WPA2) prevent direct reading of captured packet contents without the encryption key
  • Wireshark can analyze captured packets but encrypted data appears as gibberish without the appropriate keys
  • Device information like manufacturer can still be determined from MAC address analysis even with encryption