How to capture WiFi packets with a specified MAC address

Hi mates
I'm trying to do a project for a friend of mine, which consists on re-using an Amazon dash button, to poweroff his computer with Windows 10.
I saw there are "flic" buttons (expensive), and they make it easier to activate events through IFTTT which in turn can do the task, following the steps provided in a github page I have read. So now I have the final part already prepared, but I only need my dash button to activate a curl command in a custom script I made in a OpenWRT router I have (Comtrend AR-5387un)(call it JAZZTEL_VILLEGOLAS), and then the curl command activates the IFTTT applet.
I have posted a Question in this forum - you can see here for reference. Because I needed help with the "somewhat difficult" part of the script. I finally developed my script further to this point (this version I call it dashbuttonsc3):

#!/bin/sh
#coded by borhacker

continue=true

while [ $continue == true ]
do
if [ `timeout 10 tcpdump -i wlan0 -U -s0 -v | grep -c "DASHBUTTON.lan" ` -gt 0 ]
then
echo "match"
curl https://maker.ifttt.com/trigger/button/json/with/key/mykey-sdpahdf
else
echo "no-match"
fi
done

Also I have developed a init.d script (called dashbuttonserv4):

#!/bin/sh /etc/rc.common
#coded by borhacker

STOP=09
START=21
continue=true
start() {

while [ $continue == true ]
do
if [ `timeout 10 tcpdump -i wlan0 -U -s0 -v | grep -c "DASHBUTTON.lan" ` -gt 0 ]
then
echo "match"
curl https://maker.ifttt.com/trigger/button/json/with/key/mykey-sdpahdf
else
echo "no-match"
fi
done
}

stop() {
continue=false
}

Now I'm facing two problems, one of which I'd like to face later, and the other is what I did this thread for:
Previously, I had an earlier version on the script - dashbuttonsc2 - which worked correctly, but not always. The only difference with dashbuttonsc3 was the (if ... tcpdump) line, which in dashbuttonsc2 was like this:

if [ `timeout 10 tcpdump -i wlan0 host 192.168.2.26 -U -s0 -v | grep -c "DASHBUTTON.lan" ` -gt 0 ]

Sometimes I pressed the button (being the script executed in the infinite loop), and I could see the packets being captured, but sometimes as well, I pressed the button and there were no packets. So I modified the tcpdump command to include all packets in wlan0, and not only with the address 192.168.2.26. So then, it became the script called dashbuttonsc3. That address is the one assigned to the dash button, by a static lease from the DHCP server of JAZZTEL_VILLEGOLAS. Then it started to capture more packets, but still there are times when I press the button and I don't see any activity.
I don't know what could be happening so that there is no packets being captured.
So I ask you please,
can you tell me how can I run a WiFi packet sniffing tool, to capture the MAC address of the dashbutton, and be integrated in my script, instead of the tcpdump command? I have heard about the monitor mode and sniffing WiFi packets, etc. I have seen too, in my Wireless configuration, the monitor mode is available, and the router is only used for this purpose, so I don't have any drawbacks in using the monitor mode. The button is configured to search for the AMAZONSERV SSID and password mypassword123 (not exactly!! :sweat_smile:).
So maybe with this tool I could capture everything that comes from my dash button.
The other problem is related to automating the init.d script (dashbuttonserv4) but I will ask later about this.
Note, for completeness, regarding my network (maybe you're needing to know this technical aspects):

  • My home network is using the subnet 192.168.1.0/24
  • JAZZTEL_VILLEGOLAS is only used to do this specific task
  • JAZZTEL_VILLEGOLAS has two interfaces, and they're isolated.
    • one is br-lan, which is connected to my home network with the IP 192.168.1.25
    • the other is wlann which is connected to the Wireless AP with the SSID AMAZONSERV. The wlann interface is in the subnet 192.168.2.0/24
  • The DHCP server is disabled in br-lan, and the DHCP server is enabled in the wlann to give IP address to my dash button 192.168.2.26. Also this DHCP server is serving an unexistant gateway, the 192.168.2.1, to make the dash button think it can connect to internet and make it try to connect.
  • JAZZTEL_VILLEGOLAS, in the wlann interface, has the static IP 192.168.2.3.
  • The firewall has only 1 zone, lan, and is assigned to br-lan. output-accept. input-accept. forward-reject.
  • I configured it like this to prevent my dash button to connect to amazon servers, and it could get banned/bricked/not working. They say that Amazon doesn't want us to use the dash buttons anymore.

Thanks a lot for your time and your help
Borhacker

It all seems too complicated (at least to me).

Looking at your previous thread, there is some dhcp activity when the button is pressed.
If this is correct, your script can be triggered based on a hotplug event.

The question is how often you have to press the button and after how long the power saving mode of the device is activated.

Please gather some information by running this:

cat << "EOF" >> /etc/hotplug.d/dhcp/99-dashbutton
[  "$MACADDR" == "68:37:e9:33:b5:90" -o "$MACADDR" == "68:37:E9:33:B5:90" ] || exit 0

logger -t dashbutton "Action: ${ACTION}"
EOF

/etc/init.d/dnsmasq restart
logread -f -e dashbutton
1 Like

Hi @pavelgl
I have executed the commands you wrote, line by line.
But I don't know exactly what do I have to do.
Should I press the button at any concrete time? and I see also you wrote dashbutton. Prior to do this test I have performed reset to my JAZZTEL_VILLEGOLAS and restored a backup with my main configs. but I didn't create the dashbutton service or whatever. Should already exist any dashbutton file or whatever?
Let me show you the input of the lines I executed:

root@JAZZTEL_VILLEGOLAS:~# cat << "EOF" >> /etc/hotplug.d/dhcp/99-dashbutton
> [  "$MACADDR" == "68:37:e9:33:b5:90" -o "$MACADDR" == "68:37:E9:33:B5:90" ] ||
 exit 0
> logger -t dashbutton "Action: ${ACTION}"
> EOF
root@JAZZTEL_VILLEGOLAS:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.35.0
udhcpc: broadcasting discover
udhcpc: no lease, failing
root@JAZZTEL_VILLEGOLAS:~# logread -f -e dashbutton

^Croot@JAZZTEL_VILLEGOLAS:~#

If the device is in standby mode, it should send a DHCP renewal request to the router when you press the button and it wakes up.

You should then see something like this in the logs:

... user.notice dashbutton: Action: update

However, this is in theory and I could be wrong...

Also double-check that the device MAC address (68:37:e9:33:b5:90) is correct.

I'm not sure whether I have to run something before pressing the button.
As I understand, the first commands were to create a hotplug event:

root@JAZZTEL_VILLEGOLAS:~# cat << "EOF" >> /etc/hotplug.d/dhcp/99-dashbutton
> [  "$MACADDR" == "68:37:e9:33:b5:90" -o "$MACADDR" == "68:37:E9:33:B5:90" ] ||
 exit 0
> logger -t dashbutton "Action: ${ACTION}"
> EOF

and then I run the /etc/init.d/dnsmasq restart for whatever reason, and then I press the button, and after, the logread -f -e dashbutton?
I'm not sure what I did, but this is the output:

root@JAZZTEL_VILLEGOLAS:/etc/hotplug.d/dhcp# cat 99-dashbutton
[  "$MACADDR" == "68:37:e9:33:b5:90" -o "$MACADDR" == "68:37:E9:33:B5:90" ] || exit 0
logger -t dashbutton "Action: ${ACTION}"
root@JAZZTEL_VILLEGOLAS:/etc/hotplug.d/dhcp# /etc/init.d/dnsmasq restart
udhcpc: started, v1.35.0
udhcpc: broadcasting discover
udhcpc: no lease, failing
root@JAZZTEL_VILLEGOLAS:/etc/hotplug.d/dhcp# logread -f -e dashbutton
Sat Dec 10 22:56:05 2022 user.notice dashbutton: Action: update
root@JAZZTEL_VILLEGOLAS:/etc/hotplug.d/dhcp# cat 99-dashbutton
[  "$MACADDR" == "68:37:e9:33:b5:90" -o "$MACADDR" == "68:37:E9:33:B5:90" ] || exit 0
logger -t dashbutton "Action: ${ACTION}"
root@JAZZTEL_VILLEGOLAS:/etc/hotplug.d/dhcp# logread -f -e dashbutton
Sat Dec 10 23:00:29 2022 user.notice dashbutton: Action: add
^Croot@JAZZTEL_VILLEGOLAS:/etc/hotplug.d/dhcp#

After pressing the button the last time, and then seeing the Action: add, I pressed the button again several times and the button doesn't show any blinking lights or whatever. The button doesn't seem to behave always the same way.
Please, if you need more information, please tell me the exact details about what I have to do exactly.
Thanks

By the way, I have double-checked the MAC address and it's ok, exactly as you wrote in your last post

In my experience sometimes the dhcp hotplug script doesn't start working until the service is restarted so that was just in case.

Well, there is a DHCP event after all.
You could use /etc/hotplug.d/dhcp/99-dashbutton for your script.

[  "$MACADDR" == "68:37:e9:33:b5:90" -o "$MACADDR" == "68:37:E9:33:B5:90" ] || exit 0

#logger -t dashbutton "Action: ${ACTION}"

/usr/bin/curl https://maker.ifttt.com/trigger/button/json/with/key/mykey-sdpahdf
...

As I said before

Obviously if you need to press the button every minute this approach won't work.

Hi again, thanks a lot!
I have tried with your hotplug script, and several button presses make the applet execute (once each button press). After 3 or 4 times, the button doesn't respond (at least no blinking lights). But I will try to test several times a day, like 4/5 times each day in different times. Because my friend only need to push the button some days, only once a day, so if the 'not blinking lights' is because many button presses repeatedly in the same minute (for example), that problem is not important.
So I'll test several times these days and after I'll tell you.
Know that you have solved my 2 problems - the script I needed to make it to work well, and the problem I had with the infinite loop, which prevented me from rebooting and I don't know what else.
Cheers
EDITED in bold

1 Like

Hi @pavelgl
Definitely, it works perfectly.
I have tried several times since yesterday, in separate times, and it always work.
Sometimes i press the button and it triggers the curl command 2 or 3 times, in a time scope of 5 minutes, but that is not a problem, since the script I downloaded for the Windows 10 PC (the last part of the setup), handles that perfectly.
Thanks Cheers

Hi @pavelgl
I'm thinking in contributing in this forum, from my experience, I'm not very advanced, but I have some level, and I think I could contribute to help the users that are in less level than me.
I want to ask you, do you think it is a good way to learn myself? because these days I'm not studying, not working, and I'd like to learn about Linux and IT in general, and this matter is so broad that I don't know where to start. So do you reccomend reading this forum (not for asking, but for answering mainly) if I want to basically learn about Linux and networking?
Cheers
Borhacker

Also as a way to thank the ones who helped me

Note for anyone looking in this guide to take as an example for himself:
finally it's not working. After some days working, it stopped working. I think the dash button tries to connect to amazon servers, and after some unsuccessful tries, it takes the configured WiFi network as useless. So (so that you understand what I'm doing) you have to press & hold the button ~5 seconds, until it blinks blue, and you connect to its wifi network and open in your browser 192.168.0.1 and there you configure the SSID and password of your WiFi AP (in this case JAZZTEL_VILLEGOLAS's WiFi network). Then it works again for some time, until the dash button takes the WiFi network as useless again.

I'm going to look into the aircrack-ng monitor mode documentation, to see if I can capture the WiFi frames the dash button casts (if any), and if there's good luck, maybe I can do a script or something.

Cheers
Borhacker

you can try easy.
1 check for channel and bssid
airodump-ng wlan0
now you know channel and bssid
airodump-ng wlan0 -c x --bssid xx:xx:xx:xx -w cattura

Hi @bricco1981
When I type airodump-ng wlan0 (and press the button to generate activity)

CH  3 ][ Elapsed: 42 s ][ 2022-12-14 20:10

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 00:00:00:00:00:00  -70       87        0    0  11  260   WPA2 CCMP   PSK  WLAN_9232
 00:00:00:00:00:00  -80       28        0    0  11  260   WPA2 CCMP   PSK  MOVISTAR_7490
 00:00:00:00:00:00  -81       12        0    0  11  260   WPA2 CCMP   PSK  <length: 21>
 00:00:00:00:00:00  -84       21        0    0   3  540   WPA2 CCMP   PSK  MOVISTAR_3F80

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 (not associated)   68:37:E9:33:B5:90  -52    0 - 1      0       35         AMAZONSERV

(The zeros as BSSID are from my neighbours' WiFi AP's)
The last line is showing my dash button (Its MAC address and the SSID it's trying to connect)

I want to try to execute a command like airodump, with an option which let me count the number of frames, and make a script that compares the number of frames with 0 (if .... -gt 0) and then make the script which activates the curl command.
I have looked at the Airodump documentation and I didn't find that option. Do you know how could I do that?
Thanks
Cheers

this one?
if so that means the device is connected to a different band you are sniffing,or looking for an ap.

but all that 000000 bssid you edited? or it's show really like that in airodump?
if really in airodump you see all that bssid like that, maybe the tools is not working as it should.

The 00000's are not showing like that, It's me who edited them, because I didn't want to show my neighbours' MAC addresses. They look like normal MAC addresses.
Regarding my dash button, I don't need it to connect to my AP. I only need it to be detected by airodump-ng so that it triggers the curl command. It's designed to, first, be configured to access to a WiFi AP SSID and password, and after, to try to connect to that WIFI AP with the password provided. That's why you see AMAZONSERV at the end - it's the SSID it's expecting to connect to.

If I type the following command, I see this:

root@JAZZTEL_VILLEGOLAS:~# airodump-ng wlan0 --essid 68:37:E9:33:B5:90
 CH  6 ][ Elapsed: 12 s ][ 2022-12-14 20:43

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID


 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 (not associated)   68:37:E9:33:B5:90  -69    0 - 1     31       49         AMAZONSERV
Quitting...
root@JAZZTEL_VILLEGOLAS:~#

but I don't know how can I count the number of frames with the specified MAC address, so that I can make a script to trigger the curl command.
In case you still didn't understand, it's a setup which consists in an Amazon dash button, which I want to setup to automate powering off my friend's computer, and I have read several articles in internet, hacking the dash button, but I didn't manage to get it working. So I'm investigating to do my own approach. And now I have already configured every part of the setup, but I only need one thing left - triggering a curl command (when I press the dash button) with a specific address, which in turn, would activate the other part of the setup.
Thanks
Cheers

that's wrong

airodump-ng wlan0 --essid name of the network

or

airodump-ng wlan0 --bssid 68:37:E9:33:B5:90

i can hel you with airodump but it's not clear if you need sniff traffic when the device probe the essid or when it will be a station or when?

The 68:37:E9:33:B5:90 is the MAC address of the dash button. So it is not a BSSID. In fact, if I run

root@JAZZTEL_VILLEGOLAS:~# airodump-ng wlan0 --bssid 68:37:E9:33:B5:90

it doesn't capture any traffic. I'm not sure exactly what does the ESSID mean, but, filtering the frames with ESSID assigned to the dash button MAC address, it captures all the traffic coming from the dash button.
I want to sniff any activity coming from the dash button, independently of being connected to an AP or not. because the dash button is somewhat unpredictable and I need a script that captures all its traffic. Do you understand this?

means like openwrt-2.4ghz it's the essid the name of the wifi

that means if you use a tools like wireeshark it is looking for a know ap.

to capture traffic add -w capture at the end of command line