kalanda / esp8266-sniffer Goto Github PK

Hey!
This project looks quiet cool! I would like to use it myself and extend it a bit.
Would you mind adding a proper open source license, so I can use this without a worry?
Thank you very much!

PS: I can recommend the zlib license.

If we carry an ESP sniffer around all day, and it logs all the signals that it finds, then that is some kind of record of all of the people that we have been near to, or at least, all of those who are broadcasting a WiFi (or Bluetooth?) signal, which, given the number of folk with WiFi enabled phones is probably a reasonable proportion.
While that information is not a lot of use on its own as a track and trace system, it could possibly be the beginnings of one...

It seems like all the wifi sniffer out there cannot sniff the MAC address of Apple Products. Does this sniffer track MAC address of Apple Products.

Hi, whenever I run this script it only gives me one remembered SSID per device, this is a different SSID than that device is currently connected to, so it really is a saved network, however I don't know how to get more SSID's out of it. I read somewhere that Espressif limited the montioring mode in recent releases, any idea how to fix this? (I programmed it using the Arduino IDE)

Tried various baudrates, different boards (Wemos D1 mini and Witty cloud), nothing helped.

Hi, @kalanda. I am trying using SoftwareSerial library in your project and always get error: rst cause 4, boot mode (1,6) and after reboot device: rst cause 4, boot mode (3,7). Can you help me with this problem?

extern "C" {
#include <user_interface.h>
}
#include <SoftwareSerial.h>

#define DATA_LENGTH 112

#define TYPE_MANAGEMENT 0x00
#define TYPE_CONTROL 0x01
#define TYPE_DATA 0x02
#define SUBTYPE_PROBE_REQUEST 0x04

SoftwareSerial ss(12, 13);

struct RxControl {
signed rssi:8; // signal intensity of packet
unsigned rate:4;
unsigned is_group:1;
unsigned:1;
unsigned sig_mode:2; // 0:is 11n packet; 1:is not 11n packet;
unsigned legacy_length:12; // if not 11n packet, shows length of packet.
unsigned damatch0:1;
unsigned damatch1:1;
unsigned bssidmatch0:1;
unsigned bssidmatch1:1;
unsigned MCS:7; // if is 11n packet, shows the modulation and code used (range from 0 to 76)
unsigned CWB:1; // if is 11n packet, shows if is HT40 packet or not
unsigned HT_length:16;// if is 11n packet, shows length of packet.
unsigned Smoothing:1;
unsigned Not_Sounding:1;
unsigned:1;
unsigned Aggregation:1;
unsigned STBC:2;
unsigned FEC_CODING:1; // if is 11n packet, shows if is LDPC packet or not.
unsigned SGI:1;
unsigned rxend_state:8;
unsigned ampdu_cnt:8;
unsigned channel:4; //which channel this packet in.
unsigned:12;
};

struct SnifferPacket{
struct RxControl rx_ctrl;
uint8_t data[DATA_LENGTH];
uint16_t cnt;
uint16_t len;
};

static void showMetadata(SnifferPacket *snifferPacket) {

unsigned int frameControl = ((unsigned int)snifferPacket->data[1] << 8) + snifferPacket->data[0];

uint8_t version = (frameControl & 0b0000000000000011) >> 0;
uint8_t frameType = (frameControl & 0b0000000000001100) >> 2;
uint8_t frameSubType = (frameControl & 0b0000000011110000) >> 4;
uint8_t toDS = (frameControl & 0b0000000100000000) >> 8;
uint8_t fromDS = (frameControl & 0b0000001000000000) >> 9;

// Only look for probe request packets
if (frameType != TYPE_MANAGEMENT ||
frameSubType != SUBTYPE_PROBE_REQUEST)
return;

Serial.print("RSSI: ");
Serial.print(snifferPacket->rx_ctrl.rssi, DEC);

Serial.print(" Ch: ");
Serial.print(wifi_get_channel());

char addr[] = "00:00:00:00:00:00";
getMAC(addr, snifferPacket->data, 10);
Serial.print(" Peer MAC: ");
Serial.print(addr);

uint8_t SSID_length = snifferPacket->data[25];
Serial.print(" SSID: ");
printDataSpan(26, SSID_length, snifferPacket->data);

Serial.println();
}

/**

• Callback for promiscuous mode
  */
  static void ICACHE_FLASH_ATTR sniffer_callback(uint8_t *buffer, uint16_t length) {
  struct SnifferPacket snifferPacket = (struct SnifferPacket) buffer;
  showMetadata(snifferPacket);
  }

static void printDataSpan(uint16_t start, uint16_t size, uint8_t* data) {
for(uint16_t i = start; i < DATA_LENGTH && i < start+size; i++) {
Serial.write(data[i]);
}
}

static void getMAC(char addr, uint8_t data, uint16_t offset) {
sprintf(addr, "%02x:%02x:%02x:%02x:%02x:%02x", data[offset+0], data[offset+1], data[offset+2], data[offset+3], data[offset+4], data[offset+5]);
}

#define CHANNEL_HOP_INTERVAL_MS 1000
static os_timer_t channelHop_timer;

/**

• Callback for channel hoping
  */
  void channelHop()
  {
  // hoping channels 1-14
  uint8 new_channel = wifi_get_channel() + 1;
  if (new_channel > 14)
  new_channel = 1;
  wifi_set_channel(new_channel);
  }

#define DISABLE 0
#define ENABLE 1

void setup() {
ss.begin(9600);
// set the WiFi chip to "promiscuous" mode aka monitor mode
Serial.begin(115200);
delay(10);
wifi_set_opmode(STATION_MODE);
wifi_set_channel(1);
wifi_promiscuous_enable(DISABLE);
delay(10);
wifi_set_promiscuous_rx_cb(sniffer_callback);
delay(10);
wifi_promiscuous_enable(ENABLE);

// setup the channel hoping callback timer
os_timer_disarm(&channelHop_timer);
os_timer_setfn(&channelHop_timer, (os_timer_func_t *) channelHop, NULL);
os_timer_arm(&channelHop_timer, CHANNEL_HOP_INTERVAL_MS, 1);
}

void loop() {
delay(10);
}

Hi,

What is the following code doing ?

os_timer_disarm(&channelHop_timer);
os_timer_setfn(&channelHop_timer, (os_timer_func_t *) channelHop, NULL);
os_timer_arm(&channelHop_timer, CHANNEL_HOP_INTERVAL_MS, 1);

Is this an optimization?

Hi I'm trying to output the data from this to an SD Card and can write everything but the SSID to the file on the card.

Can you help me by explaining how I can get the SSID in to a variable or string etc. so that I can use myFile.print(ssid); or something similar?

It doesn't have to be a variable, it can be anything as longs as I can use myFile.print to get it into the file on the SD Card.

Thanks :)

Hello all, this is not really an issue but rather a question.
The code works fine but I have a question about how probe requests work.
From my understanding, a WiFi client sends multiple probe requests if it is searching for multiple pre-saved SSIDs, sending one request per SSID, however, when I tried several codes including yours I get several requests per SSID with different RSSIs up to 30dB difference between them!
Also, I get several requests without any SSID so what are those for?
Could anybody elaborate more on how probe requests work (i.e : different channels, different SSIDs)?
Is there a way to only get the probe requests for a specific SSID, so I can get one request per scan, either using your code or using the WiFi event handlers from the ESP8266 arduino core(Preferably using the arduino core handlers because they work in AP mode without promiscuous mode)?

Your help is pretty much appreciated, and keep up the good work!

Can this work sniffer all the packets in the air in addition to the probe packets？

Hi @kalanda ,
I successfully uploaded your code to my ESP8266 and led blinking make me think its working properly.
I would like to check output sent the serial port in Platform IO but I keep getting this error:

$ platformio device monitor -p /dev/cu.usbserial -b 115200 --raw
Error: (22, 'Invalid argument')

Am I missing something in the set up ?

Hello. How can i (without SSID's history and never connect before modem...) catch mobil phones (or other device) mac addresses, is it imposible this way.

Is it possible to send the results over MQTT?

Hi,

Is sdk_wifi_promiscuous_enable the best way to handle all incoming packages. Isn't it better to handle the packages in the loop of the Arduino program somehow?

The project only scans probes on channel 13 and doesn't seem to detect anything from other channels. I've been able to get it to scan through the channels but it doesn't loop back to channel 1 and ends/keeps scanning channel 13.

#define CHANNEL_HOP_INTERVAL_MS 200
static os_timer_t channelHop_timer;

/**

• Callback for channel hoping
  */
  void channelHop()
  {
  // hoping channels 1-14
  uint8 new_channel = wifi_get_channel() + 1;
  if (new_channel > 14)
  new_channel = 1;
  wifi_set_channel(new_channel);
  }

Hi,

I'd like to use this to search for a specific client MAC address.
I've spent hours trying to do it with little to no success!

Could you point me in the right direction?

Thanks

These Networks don't exist. And it shows old names of the esp wifi. Any solutions?