Overview
This node triggers workflows based on wireless network traffic captured using Tshark, a command-line network protocol analyzer. Specifically, it listens for probe response frames on a specified wireless interface and emits data about detected probe responses. This is useful in scenarios such as wireless network monitoring, security auditing, or detecting nearby Wi-Fi devices responding to probe requests.
For example, a user might deploy this node to monitor Wi-Fi probe responses in an area to detect the presence of specific devices or networks, enabling automated alerts or logging when certain SSIDs or MAC addresses appear.
Properties
| Name | Meaning |
|---|---|
| Interface | The network monitoring interface to use for capturing wireless traffic (e.g., wlan1). |
| Channel Hopping List | Comma-separated list of Wi-Fi channels to cycle through during monitoring (e.g., 1,2,3,...). |
| Channel Hopping Interval | Time interval in seconds between switching channels while monitoring (e.g., 30). |
| Emission Interval | Time interval in seconds between emitting collected trigger events downstream (e.g., 60). |
| Maximum Emissions | Maximum number of trigger emissions allowed per emission interval (e.g., 10). |
Output
The node outputs JSON objects representing detected probe response frames with the following fields:
frameType: The type/subtype of the frame (numeric code).macAddress: The MAC address of the device sending the probe response.macResolved: A resolved or human-readable form of the MAC address if available.ssid: The SSID (network name) contained in the probe response.frequencyMHz: The frequency channel in MHz on which the frame was received.signalDbm: The signal strength in dBm of the received frame.
The output is an array of such objects emitted periodically according to the configured emission interval and limited by the maximum emissions setting.
No binary data output is produced by this node.
Dependencies
- Requires Tshark installed on the host system with appropriate permissions.
- Requires sudo access with a password to run Tshark and change wireless interface channels.
- Uses the
iwcommand-line tool to perform channel hopping on the wireless interface. - Requires the user to provide a local sudo password credential for executing privileged commands.
Troubleshooting
Common issues:
- Insufficient permissions: The node requires sudo privileges to capture packets and change channels. Ensure the provided password is correct and the user has sudo rights.
- Incorrect interface name: The specified network interface must be in monitor mode and support channel hopping.
- Unsupported channels: Channels listed must be supported by the wireless device (
iw listcan verify this). - Tshark not installed or not in PATH: Ensure Tshark is installed and accessible from the command line.
Error messages:
- Errors related to "permission denied" or "operation not permitted" indicate missing sudo rights or incorrect password.
- "Channel hopping failed" or similar messages suggest invalid channels or interface issues.
- If no data is emitted, verify that the interface is correctly set to monitor mode and that there is wireless traffic matching the probe response filter.