signal from the wiper goes through a
multi-stage RC low-pass filter.
The setting of the potentiometer will
vary the source impedance seen by the
filter and thus slightly alter the corner
frequency. Still, since the square wave
harmonics start at three times the fundamental frequency, this won’t materially affect its ability to filter them out.
The fourth-order filters roll off at 24dB
per decade, so the third harmonic will
be attenuated by well over 30dB.
The filters each have four passive
stages, each with the same corner frequency but ten times the impedance
of the last, so as to not overly load the
previous stage. The output of each set
of filters is AC-coupled to an op amp
two-times gain stage, DC biased to the
2.5V half-supply rail generated using
a pair of 10kW resistors and filtered by
100µF and 100nF capacitors.
These stages not only apply gain to
make up for signal lost in the filters,
but also convert the high-impedance
output of the filters into a low imped-
WiFi Snooping with a Raspberry Pi
Smartphones send out WiFi “probe
requests” to see what access points
are close by. These requests contain
the MAC address of the WiFi module
in the smartphone, which is a unique
identifier for that phone.
The first three bytes of the MAC address contain the OUI (Organisational
Unique Identifier), sometimes called
the Vendor ID. The IEEE assigns OUIs
to vendors. The last three bytes are the
unique device serial number assigned
by the vendor.
A monitoring device can silently
capture probe requests, collecting information such as the date and time,
MAC address and the signal strength,
which indicates how close the phone
is. Several devices can be strategically
placed to triangulate the signal levels
and pinpoint the location of the phone.
Shopping centres, train stations,
airports etc are already using systems
like this.
You can use a Raspberry Pi as a silent monitoring device by running a
Python program called “probemon”.
Probemon captures all the data mentioned above. Also, the probe request
sometimes contains the Access Point
details that the phone was last connected to. When that happens, it is
also captured by probemon.
To use this software, you will need a
USB WiFi adaptor that supports “monitor” mode (the internal WiFi on the Pi
does not). I bought a RaLink RT5370
via eBay for less than $10. First, install
Raspbian Buster on the Pi. Then plug
in the USB WiFi adaptor and check it
with the following command:
lsusb
Note the WLAN number of the USB
WiFi (probably wlan1). Unplug and replug the USB adaptor, and check again
siliconchip.com.au
to be sure. Then install aircrack-ng:
sudo apt-get install aircrack-ng
Run airmon-ng (a part of aircrackng) to kill processes that will conflict
with Monitor Mode:
sudo airmon-ng check kill
Put the WiFi adaptor into monitoring mode:
sudo airmon-ng start wlan1
Check that you now have a virtual
adaptor (wlan1mon):
ifconfig
Install netaddr, scapy and probemon:
mkdir python
cd python
git clone https://github.com/
drkjam/netaddr
cd netaddr
sudo python setup.py install
cd ~/python
git clone https://github.com/
secdev/scapy.git
cd scapy
sudo python setup.py install
cd ~/python
git clone https://github.com/
nikharris0/probemon.git
cd probemon
Now test probemon:
sudo python probemon.py –i
wlan1mon –f –s –r –l
It will take a few minutes before
you see any results. You will likely get
some errors that need fixing by editing
the file “/home/pi/python/probemon/
probemon.py”. If you encounter the error type object ‘datetime.datetime’ has
no attribute ‘datetime’, change line 36
of that file from:
Australia’s electronics magazine
ance signal, suitable for driving other
equipment. These signals are again
AC-coupled to remove the 2.5V DC
bias and then fed to the output terminal pairs via 10W isolating resistors.
The remaining six square wave signals are simply fed to a separate set
of outputs via 47W isolating resistors.
The whole thing is powered from a 5V
USB supply, with LED1 lighting to indicate the presence of power.
Petre Petrov,
Sofia, Bulgaria. ($80)
log_time = datetime.datetime.
now().isoformat()
to:
log_time = datetime.now().
isoformat()
The RSSI value doesn’t work, so
change line 56 from:
rssi_val = -(256-ord(
packet.notdecoded[-4:-3]))
to:
rssi_val = packet.dBm_AntSignal
Now the list of approved MAC Address Vendors has to be updated:
curl http://standards-oui.ieee.
org/oui.txt --output /home/
pi/python/netaddr/netaddr/
eui/oui.txt
cd ~/python/netaddr/netaddr/eui
python ieee.py
cd /home/pi/python/netaddr
sudo python setup.py install
Rerun the capture program, and it
should be fully working:
cd ~/python/probemon
$ sudo python probemon.py –i
wlan1mon –f –s –r –l
Captured data is stored in probemon.log. iPhones use MAC address
randomisation, so the only time the
correct MAC address is sent in a packet
is when it is connected to a WiFi Access Point. Other times, it is recorded
in the log file as “UNKNOWN”.
When previously connected SSIDs
are captured, you can search www.
wigle.net which has a vast number of
Access Points in its worldwide database. You can also enter your home
address into www.wigle.net and see
what Access Points are near you.
Sid Lonsdale
Cairns, Qld. ($80)
February 2021 73
