Overview
This node acts as a wireless network packet sniffer using Tshark, specifically designed to detect certain Wi-Fi management frames such as beacon frames. It continuously monitors a specified wireless interface, hopping through configured Wi-Fi channels at set intervals, and triggers workflow executions when relevant frames are detected.
Common scenarios where this node is beneficial include:
- Monitoring nearby Wi-Fi access points by detecting their beacon frames.
- Gathering information about wireless networks for security audits or site surveys.
- Triggering workflows based on the presence of specific Wi-Fi signals in an environment.
For example, a user can configure the node to listen on a wireless interface for beacon frames emitted by access points, hopping through common Wi-Fi channels every 30 seconds, and emit up to 10 trigger events per minute when new beacons are detected.
Properties
| Name | Meaning |
|---|---|
| Interface | The network monitoring interface to use for sniffing Wi-Fi packets (e.g., wlan1). |
| Channel Hopping List | Comma-separated list of Wi-Fi channels to cycle through during monitoring (e.g., 1,2,3,...). |
| Channel Hopping Interval | Time interval in seconds between switching to the next channel in the hopping list. |
| Emission Interval | Time interval in seconds between emitting batches of detected frames as trigger events. |
| Maximum Emissions | Maximum number of trigger emissions allowed per emission interval. |
Output
The node outputs JSON arrays where each element represents a detected Wi-Fi frame matching the configured filter (beacon frames in this case). Each object contains:
frameType: Numeric subtype of the Wi-Fi frame (e.g., 8 for beacon).macAddress: MAC address of the device sending the frame.macResolved: A resolved or human-readable form of the MAC address if available.ssid: The SSID (network name) broadcasted in the frame.frequencyMHz: Frequency channel in MHz on which the frame was captured.signalDbm: Signal strength in dBm indicating the received signal power.
The node does not output binary data; all data is structured as JSON objects representing parsed frame details.
Dependencies
- Requires Tshark installed on the host system with appropriate permissions to capture packets on the specified wireless interface.
- Uses
sudoto run Tshark commands with elevated privileges; thus, the node requires the user's sudo password credential. - Depends on Linux wireless tools (
iw) for channel hopping commands. - The node runs shell commands and spawns child processes, so it requires a compatible environment supporting these operations.
Troubleshooting
- Permission Denied Errors: If Tshark cannot access the wireless interface, ensure the user has sufficient sudo privileges and that the correct password is provided.
- Invalid Interface: Specifying a non-existent or incorrect wireless interface will cause the node to fail starting Tshark. Verify interface names with system tools.
- Channel Hopping Issues: If channel hopping commands fail, check that the wireless card supports the requested channels and that
iwis installed and functional. - No Frames Detected: This may happen if the interface is not in monitor mode or if there is no Wi-Fi traffic on the monitored channels.
- Process Termination: Unexpected termination of the Tshark process will stop the trigger. Check system logs and Tshark error output for clues.