wat is a very simple exploration of using the libpcap library on OSX via Swift through a command line interface.
Just load in XCode6+, and build. Then run with sudo:
sudo ./wat
Initial output should look like this:
Opening device: en0
Datalink Name: IEEE802_11_RADIO
Datalink Description: 802.11 plus radiotap header
Hardcoded to en0 for now.
Also, I am focusing on the output of management and authentication packets (EAPOL), since the first task is getting the 4-way handshake supported for decrypting WPA2 traffic. (More details in the 'gotchas' section here.)
- Function pointers in Swift - getting better with XCode6 beta4, but I had to go back to ObjectiveC for this
- Found this code on Stack Overflow - very useful for low level byte manipulation in Swift:
func read<T>(byteLocation: Int) -> T {
let bytes = self.rawData.subdataWithRange(NSMakeRange(byteLocation, sizeof(T))).bytes
return UnsafePointer<T>(bytes).memory
}
- SSL - no proxy means no reading SSL, even when WPA/WPA2 is decrypted
- For proper debugging of traffic, WPA/WPA2 traffic needs to be decrypted (given proper password) -- this code is nontrivial to figure out.
- Focusing on IEEE802.11 plus radiotap, for now
If you want to help out, please fork and make some pull requests. Here are some links I found useful:
- tcpdump - tcpdump source code & docs
- Programming with libpcap - PDF of article from Hackin9 magazine in 2008. Very old, but nice to read some basics.
- Radiotap docs - Explains the radiotap header - took me a while to figure this out. Basically, you just need the (variable) length
PJ Gray
wat is available under the MIT license. See the LICENSE file for more info.