Overview
This node triggers workflows based on wireless network traffic captured by Tshark, a command-line network protocol analyzer. Specifically, the "Sniff Probe Request" operation listens for Wi-Fi probe request frames on a specified network interface. These frames are sent by devices searching for available Wi-Fi networks.
Common scenarios where this node is useful include:
- Monitoring nearby Wi-Fi devices for presence detection or tracking.
- Collecting data about devices probing for networks in an area for security audits.
- Triggering actions when specific probe requests are detected, such as alerting or logging.
For example, you could use this node to detect when new devices enter a physical space by monitoring their probe requests and then trigger notifications or start other workflows.
Properties
| Name | Meaning |
|---|---|
| Interface | The network interface used for monitoring (e.g., wlan1). |
| Channel Hopping List | Comma-separated list of Wi-Fi channels to cycle through during monitoring (e.g., 1,2,3,...). |
| Channel Hopping Interval | Time interval in seconds between switching channels. |
| Emission Interval | Time interval in seconds between emitting collected probe request events downstream. |
| Maximum Emissions | Maximum number of probe request events emitted per emission interval. |
Output
The node outputs JSON objects representing detected probe request frames with the following fields:
frameType: Numeric code identifying the frame subtype (for probe requests, typically 4).macAddress: MAC address of the device sending the probe request.macResolved: Possibly a resolved or vendor-specific version of the MAC address.ssid: The SSID string the device is probing for (decoded from raw data).frequencyMHz: Frequency channel in MHz on which the frame was captured.signalDbm: Signal strength in dBm of the received frame.
The output is an array of such objects emitted periodically according to the configured emission interval and limited by the maximum emissions setting.
No binary data output is produced by this node.
Dependencies
- Requires Tshark installed on the host system.
- Requires sudo privileges to run Tshark and change wireless interface channels.
- Needs a valid password credential for sudo authentication.
- Uses Linux wireless tools (
iw) to perform channel hopping. - The node runs shell commands and spawns child processes; thus, it depends on the underlying OS environment supporting these utilities.
Troubleshooting
- Permission errors: If the node cannot run Tshark or change channels, ensure the provided sudo password is correct and that the user has necessary permissions.
- Interface not found: Verify the specified network interface exists and is in monitor mode.
- Channel hopping issues: Confirm the listed channels are supported by your wireless card (
iw listcan be used to check). - No output events: Could indicate no probe requests detected on monitored channels or incorrect filter settings.
- Process termination: Unexpected termination of Tshark may require checking system logs or Tshark installation.