Jump to content
Sign in to follow this  
wuwuxin

Any Delphi WiFi/Bluetooth component for developing sniffer?

Recommended Posts

Need to develop a custom sniffer application to detect Wifi and Bluetooth MACs in a train station, for the purpose of counting pedestrians.

 

Is there any existing Delphi compoenent that can be used to that end?

 

Thanks.

Share this post


Link to post
Guest

Well, i don't have an answer, but i have information that might give you start point, though my thoughts will be on Wifi only, as Bluetooth stuff is easy to find and understand on the Internet, also it has very short range in comparison to Wifi.

 

1) WiFi protocol is designed in a way that will not help you to achieve your goal, i mean it built to serve Client->APServer not the other way around.

2) The problem is not only within the protocol itself, but in the hardware too, most if not all Wifi adapters will work on one channel out of 11 defined by the protocol specification, meaning, server will serve one channel while client can scan and connect to only one at a time.

3) There is two scanning mode performed by a client, passive and active, in active mode the client will ping any AP (server) in the range and wait for an answer then switch channel and ping again( then wait...), this is detectable by AP, while in passive mode the client will just listen to a channel for specified time then change the channel and wait on it, this mode is undetectable by AP.

4) From ( 3 ) you see what is scanning in case the client is not connected, but what if the client is connected?, then no scanning is happening, here comes sniffing, where AP will listen to a channel and capture packets flying around between a Client and an AP, this is detectable by your adapter, again you need to wait a specific time before decide there is traffic on this channel or not, then capture the MAC addresses.

5) Most hardware will operate on one channel and this will make sniffing is more like fishing in big pond, where you can't stay one one channel for long time and miss the fun on other channels, so either you need specific hardware that operate on all of them (channels) or use multiple devices to scan more than a channel simultaneously, a specified hardware that operate on all channel or more than one will be expensive and not consumer grade device, yet it does exist, on other hand using multiple wifi devices will be cheaper, but a little harder to build and operate, in theory you can operate 11 USB devices, but will the mainboard provide enough power for them ?!, here i would suggest to think differently and use multiple small and cheap devices dedicated for such monitoring and report to your station, example, while Arduino might be in theory is enough, i would suggest a Raspberry devices to do this, managing 11 devices with dedicated power for each will be better (i think) as they also can cover wider area, also in such approach you can just add more to cover wider area.

 

 

There is one Delphi library that can perform a sniffing as reported by its feature list https://www.nicomsoft.com/products/wifi-manager/features/

As for hardware i know that Alfa products https://www.alfa.com.tw/ are monsters and cheap, by monsters i mean some of their product have have wifi range with 35 Km (kilometers), tested and i worked on it, also checking their site now i see they already have this baby monster that might be perfect fit in case you went with dedicated devices https://www.alfa.com.tw/products/pi-wifi4_pcba with a price at $38 https://www.eurodk.com/en/products/wireless-routers/alfa-pi-wifi4_pcba-router-board , this makes it very suitable fit.

 

The fact that they have a dedicated page to list the Kali Linux compatible devices, makes them the perfect candidate for you to contact and get their insight, so i suggest to contact them or any hardware manufacturer to get more information on what is doable and what is not.

 

ps: if you want to research Wifi sniffing, then i would suggest to get your hand on Kali Linux and try it with USB Wifi adapter, it will be fun, there is many resources on the internet on that matter.

Share this post


Link to post
7 hours ago, Kas Ob. said:

Well, i don't have an answer, but i have information that might give you start point, though my thoughts will be on Wifi only, as Bluetooth stuff is easy to find and understand on the Internet, also it has very short range in comparison to Wifi.

@Kas Ob.

Thank you very much for such an insightful answer.  Very helpful indeed.

Share this post


Link to post
7 hours ago, Kas Ob. said:

ou need to wait a specific time before decide there is traffic on this channel or not, then capture the MAC addresses.

@Kas Ob.

I have more one question:  what this "specific time" would be?  Is it specified in the protocol?

Share this post


Link to post
Guest
1 hour ago, wuwuxin said:

I have more one question:  what this "specific time" would be?  Is it specified in the protocol?

Can't say for sure, can't remember the numbers, but it is defined in the specifications and changed over the years slightly, some in ms and some in microseconds, and some longer, and some de facto a standard for now specially for mobiles as they evolve and get better and better.

Searching the internet for more detailed resources will be helpful, as some hardware doesn't allow "less than x" while other doesn't allow "more than x", simply some exclusively synchronous or asynchronous.

Also the biggest time problem is not in the timeout itself, but in the tuning to different channel this is not an instant operation, some takes relatively long time (more than 500ms or even seconds) to switch.

 

By having multiple devices where each scan on fixed channel this will be less important or less to worry about.

 

Also if you choose to investigate the Raspberry approach, you need to be sure if it can support extra Wifi module(s), by adding extra Wifi module or USB module to it, you will be able to decrease the number of devices greatly along with the cost, but as always the keyword here is the power, can a device support two or more Wifi module in always on mode, so you need to keep this question on your top to know, power will be the first to fail or render the operation obsolete, not only because the covering range is depending on it, but with extra power comes the higher temperature, with high temperature comes antenna skewing the frequency rendering it scanning on sub frequency.

 

I suggest to ask someone local to you if you can find, where have greater knowledge with such hardware and their capability, also different forums where the hardware is its main subject you can find more information.

 

 

Share this post


Link to post
Guest

About Bluetooth,

I really don't much information but i remembered that read yesterday this blog https://www.schneier.com/blog/archives/2021/09/tracking-people-by-their-mac-addresses.html

This reminded me of few articles discussing Bluetooth 3.0+ and the demand for MAC address randomization, so using Bluetooth can be very challenging as with each disconnect and reconnect for such headphones, they might look like a new device in the range.

 

Sorry but also you need more information from people who knows more about this.

Share this post


Link to post
Guest

@wuwuxin , came across an amazing article (blog post) about zero-click vulnerability in iOS, the author did amazing job and documented the process, while some or many aspect of the subject is irrelevant to your need (they are about Apple proprietary protocols), the article contains many useful pieces of information for you and your researched project, with many links to valuable resources to give you a head start.

https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html

 

There is a link to wifi active frames structures, to get the MAC in captured/sniffed packets

He did use Raspberry device, then explained why and where it did fail or not so useful, (power and temperature), also the 5Ghz and its 45 channels, but without testing you can't be sure if it is not enough, as your usage will not be sending much of data.

In many places, the author points to the significance of timing specially for an ACK, like the section "ACK a MAC?"

 

Hope you find this reading educational and helpful.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×