How many times have you had to take a look at the Wi-Fi traffic flying around your environment? When I do, I like to use horst, a fast but bare-bones network analyzer. You simply put your network card into monitor mode and off you go.
First, some background: I often use the Wi-Fi Analyzer app on my Android Galaxy S3 to look at signal strength and which access points are using which channels. While it’s convenient, it doesn’t really give me any performance stats or logs.
Years ago, I used Kismet, along with a plug-in 802.11b card, a hacked antenna cable and a “Cantenna” for a little better reception. Yagi and parabolics are much better. web.archive.org has a comprehensive article on building your own rig. I remember more than one Linux geek jerking their head around to see where that familiar Kismet “hammer on brick ping” sound came from when I was scanning Wi-Fi channels in a room. Kismet works well, though I always thought it was a bit of a pain to set up on a new or rebuilt machine.
br1 at http://br1.einfach.org wrote the little text-based monitor program called horst, which only requires changing the mode of the Wi-Fi card on your Linux machine. Most modern Wi-Fi chips should work. There’s a tar file on the website you can download and install. I loaded it using Synaptic under Xubuntu.
Documentation is pretty sparse, so you’ll have to explore the program on your own to understand all of its capabilities. Today, we’ll look at the basics.
Putting a late model Wi-Fi radio into monitor mode is done with the following command line:
rob$ sudo iw dev wlan0 interface add mon0 type monitor
You can then start horst.
rob$ sudo horst -i mon0
The image below shows the main horst screen. Other screens are selected by typing the underlined keyboard shortcut letters. Shift-P pauses capture on and off, while Shift-S toggles the spectrum analyzer screen. That screen shows each channel and its associated signal strength bar graph.
You can use Shift-F to get to the filter screen shown in the next image. Selections include beacon and authentication frames, control frames (CTS/RTS and ACK) and data frames (ARP, IP, UDP, TCP, etc.). You can also enter nine different MAC addresses that you’d like to track. horst will filter those out for you.
Use Shift-A to look at packet statistics such as data rates and utilization at various Wi-Fi speeds and stats on throughput of different packet types.
I like the layout of horst because the screens are uncluttered and fast. Wireshark provides an awful lot of information although I think it’s a little overkill for most of my network investigations. You’re also able to simultaneously examine all the channel strengths across the 2.4 GHz Wi-Fi band.
horst is a fast, straightforward, and bare bones Wi-Fi network analyzer. You simply need to put your network card into monitor mode and off you go.
If you need to go beyond horst on the common 2.4 GHz Wi-Fi frequencies, be sure to take a look at the HackRF software defined radio board on Kickstarter. It’s an open source, USB powered, 30 MHz to 6 GHz transceiver board that works with the popular GNU Radio software framework. It looks like a supremely capable radio for around $300. With a bandwidth of 20 MHz, the HackRF board would serve as a decent spectrum analyzer, as well.