Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use other Wifi packets, not just broadcast probes #35

Closed
victorhooi opened this issue Mar 22, 2018 · 1 comment
Closed

Use other Wifi packets, not just broadcast probes #35

victorhooi opened this issue Mar 22, 2018 · 1 comment
Labels
documentation Something to update in documentation question Further information is requested

Comments

@victorhooi
Copy link
Contributor

As requested per chat on Slack, I took some tshark capture, with client devices moving between APs:

Client Devices

Name MAC Address
Macbook Pro ac:bc:32:81:53:eb
Pixel Phone 40:4e:36:0b:82:71

Downloaded large test file on the Macbook like so:

wget -O /dev/null http://speedtest.tele2.net/10GB.zip

Downloaded large test file on phone via browser.

Access Points

Name MAC Address
Cafe f0:9f:c2:7c:66:08
Kid's Room f0:9f:c2:7c:76:56
Main Hall (Right) f0:9f:c2:7c:68:9c
Main Hall (Left) f0:9f:c2:7c:66:1b
Upstairs f0:9f:c2:7c:6c:1e

Raspberry PIs

I took captures on 3 Raspberry Pis with the following command:

sudo tshark -I -i wlan1 -a duration:600 -w /tmp/tshark-<location>

I set the time limit to 10 minutes - in this case, I ended up capturing for more, so I created a new file ending in "2" once the first capture ended.

Timeline

Started off under Cafe AP

Fri 23 Mar 2018 06:32:39 AEDT
Moved closer to Kidsroom AP
MacBook stayed associated with cafe, Pixel Phone changed associated to Cafe AP

Fri 23 Mar 2018 06:35:38 AEDT
Moved back to Cafe AP

Fri 23 Mar 2018 06:38:18 AEDT
Moved back to Kidsroom AP

Fri 23 Mar 2018 06:41:08 AEDT
Moved back to Cafe AP

packet_captures.zip
@schollz
Copy link
Owner

schollz commented Mar 23, 2018

@victorhooi

Thanks. I dumped the packets with

sudo tshark -r tshark-entrance.pcap -T fields -e frame.time_epoch -e wlan.sa -e wlan.ta -e wlan.ra -e wlan.da -e radiotap.dbm_antsignal

to get the sender, receiver, transmitter, and destination.

Some initial observations:

1. Broadcasts are great

Here are the signals being sent to ff:ff:ff... from your phone. They are ordered in time, but you can see just by inspection that they oscillate between two fairly similar numbers (reflecting going from cafe -> kidsroom -> cafe -> kidsroom -> cafe).

You can also see that the cafetv is different than entrance which is different from kidsroom, which is also great. That means that these broadcasts can be used to distinguish your phone.

cafetv 40:4e:36:0b:82:71-40:4e:36:0b:82:71-ff:ff:ff:ff:ff:ff-ff:ff:ff:ff:ff:ff [-41.0, -47.0, -45.0, -45.0, -65.0, -67.0, -43.0, -39.0, -43.0, -63.0, -63.0, -67.0, -65.0, -65.0, -71.0, -39.0, -45.0, -45.0, -41.0]
entrance 40:4e:36:0b:82:71-40:4e:36:0b:82:71-ff:ff:ff:ff:ff:ff-ff:ff:ff:ff:ff:ff [-37.0, -41.0, -41.0, -43.0, -47.0, -47.0, -63.0, -43.0, -45.0, -39.0, -41.0, -53.0, -59.0, -63.0, -61.0, -57.0, -59.0, -59.0, -31.0, -37.0, -39.0, -41.0]
kidsroom 40:4e:36:0b:82:71-40:4e:36:0b:82:71-ff:ff:ff:ff:ff:ff-ff:ff:ff:ff:ff:ff [-63.0, -67.0, -67.0, -45.0, -45.0, -47.0, -45.0, -63.0, -65.0, -61.0, -69.0, -69.0, -41.0, -39.0, -39.0, -41.0, -37.0, -39.0, -41.0, -51.0, -63.0, -65.0]

2. Other packets are not good

Here's an example of another packet (sent by f2:9f... to your phone):

cafetv f2:9f:c2:7d:68:9c-f2:9f:c2:7d:68:9c-40:4e:36:0b:82:71-40:4e:36:0b:82:71 [-49.0, -49.0, -49.0, -49.0, -49.0, -49.0, -49.0, -49.0, -49.0, -51.0, -49.0, -47.0, -49.0, -51.0, -49.0, -49.0, -49.0, -47.0, -49.0]
entrance f2:9f:c2:7d:68:9c-f2:9f:c2:7d:68:9c-40:4e:36:0b:82:71-40:4e:36:0b:82:71 [-57.0, -57.0, -73.0, -57.0, -57.0, -57.0, -57.0, -57.0, -55.0, -57.0, -57.0, -57.0, -57.0, -57.0, -57.0, -57.0, -57.0, -57.0, -57.0, -57.0, -57.0, -65.0, -57.0]
kidsroom f2:9f:c2:7d:68:9c-f2:9f:c2:7d:68:9c-40:4e:36:0b:82:71-40:4e:36:0b:82:71 [-55.0, -59.0, -53.0, -59.0, -61.0, -61.0, -61.0, -61.0, -61.0, -59.0, -61.0, -59.0, -61.0, -61.0, -53.0, -61.0, -59.0, -59.0, -61.0]

You can see that the values are always the same despite you moving from place to place. Thererfore these signals do not reflect your current position.

Unfortunately, this is the case with all the other packets. Here's another example (b0:39... to your phone):

cafetv b0:39:56:c3:76:3e-b0:39:56:c3:76:3e-40:4e:36:0b:82:71-40:4e:36:0b:82:71 [-67.0, -67.0, -69.0, -67.0, -67.0, -67.0, -67.0, -67.0, -69.0, -67.0, -65.0, -65.0, -69.0, -69.0, -67.0, -65.0, -67.0, -67.0, -67.0]
entrance b0:39:56:c3:76:3e-b0:39:56:c3:76:3e-40:4e:36:0b:82:71-40:4e:36:0b:82:71 [-65.0, -73.0, -73.0, -73.0, -71.0, -71.0, -73.0, -73.0, -73.0, -71.0, -73.0, -69.0, -73.0, -73.0, -73.0, -71.0, -73.0, -71.0, -73.0, -73.0, -71.0]
kidsroom b0:39:56:c3:76:3e-b0:39:56:c3:76:3e-40:4e:36:0b:82:71-40:4e:36:0b:82:71 [-73.0, -73.0, -73.0, -75.0, -73.0, -73.0, -73.0, -71.0, -73.0, -71.0, -73.0, -75.0, -73.0, -73.0, -77.0, -73.0, -73.0, -71.0, -73.0]

The values are always the same, even though you are changing places.

The only packets sent from your device are broadcast packets

If you look through the output of the attached script you'll see that only broadcasts are sent from your device. This is probably why it doesn't work for other packets, as they are sent from other devices and are static.

packets-analysis.zip

@schollz schollz added the question Further information is requested label Mar 24, 2018
@schollz schollz added the documentation Something to update in documentation label Apr 20, 2018
@schollz schollz closed this as completed Apr 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Something to update in documentation question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@victorhooi @schollz