Created
March 30, 2017 19:56
-
-
Save ruichuang/3221b868f8a8c3075b1173ccdd56781c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| scanning devices within wifi area | |
| http://www.libelium.com/products/meshlium/smartphone-detection/ | |
| • The MAC address of the wireless interface, which allows to identify it uniquely. | |
| • The strength of the signal (RSSI), which gives us the average distance of the device from the scanning point. | |
| • The vendor of the smartphone (Apple, Samsung, etc) | |
| • The WiFi Access Point where the user is connected (if any) and the Bluetooth friendly name. Users not connected to an AP will be showed as "free users". | |
| • The Class of Device (CoD) in case of Bluetooth which allows us to differentiate the type of device (smartphone, handsfree, computer, LAN/network AP). With this parameter we can differentiate among pedestrians and vehicles. | |
| calculate destance wifi triangle | |
| http://stackoverflow.com/questions/16485370/wifi-position-triangulation | |
| active scan and the probe requests and responses. | |
| https://www.hak5.org/episodes/haktip-23 | |
| ap hear probe request -> from specific ap / -> all stations in area using broadcast ssid => probe repsonse | |
| Because the probe request is sent from the mobile station to the destination layer-2 address and BSSID of ff:ff:ff:ff:ff:ff all AP's that receive it will respond. | |
| sudo ifconfig wlan0 promisc | |
| tcpdump -c 10000 -s0 -I -i en0 -w /tmp/mm_capture.pcap | |
| tcpdump -c number specifying number of package to capture | |
| tshark -r mm_capture.pcap -Y "wlan.fc.type_subtype == 0x04" -T fields -e frame.number -e wlan.sa -e radiotap.dbm_antsignal > test4.csv | |
| tshark -r mm_capture.pcap -Y "wlan.fc.type_subtype == 0x05" -T fields -e wlan.da -e radiotap.dbm_antsignal -e wlan.sa > test4.csv | |
| csv file format | |
| frame number - source MAC address - RSSI | |
| Probe response frame “wlan.fc.type_subtype ==0x05” | |
| Probe request frame “wlan.fc.type_subtype ==0x04” | |
| Beacon packets is “wlan.fc.type_subtype == 0x08” | |
| Authentication frame wlan.fc.type_subtype == 0x0b | |
| Deauthentication frame wlan.fc.type_subtype == 0x0c | |
| Association request frame: wlan.fc.type_subtype == 0x0 | |
| sig_str = -(256-ord(packet.notdecoded[-4:-3])) | |
| IOS 8 devices try to roam when their associated BSSID signal falls below –70 dBm RSSI. The IOS 8 devices then scan all channels (without 802.11k) or the target channels communicated by their current AP (with 802.11k enabled), and roam to another AP if its signal is 8 dB better (IOS 8 device in active communication) or 12 dB better (IOS 8 device in idle) than the current AP. | |
| 802.11 Header Field Either Source or Destination Address Transmitter Address wlan.addr Source Address wlan.ta Receiver Address wlan.sa Destination Address wlan.da BSSID wlan.bssid | |
| Duration wlan.duration | |
| Frame Control Subfields Frame Type Frame Subtype wlan.fc.type | |
| ToDS Flag FromDS Flag wlan.fc.subtype | |
| Retry Flag wlan.fc.retry Protected Frame (WEP) Flag wlan.fc.wep | |
| Trilateration | |
|  | |
| https://en.wikipedia.org/wiki/Trilateration | |
| RSSI to distance | |
| RSSI = -20 * log10(distance in meters) + RssiAtOneMeter | |
| distance in meters = pow(10, (RssiAtOneMeter - ReceivedRSSI) / 20) | |
| distance is in meters | |
| TxPower really means the power received at a 1 meter distance | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment