WiFi and Bluetooth device detection


24 posts
by frisovv » Fri Jun 14, 2013 9:20 am
Hello all,

I am looking for a affordable way to to WiFi and Bluetooth device detection within some area. There are off the shelf devices that achieve this, for example here: http://www.libelium.com/products/meshlium/. The use case is to gather data on which devices (by MAC address) have been near the measurement point at which times. Typically these things register MAC addresses, a class of device code (e.g. phone, car kit, laptop, etc.) and the signal strength which has some relation to how close the device was to the measurement point.

What I was hoping for is that a Raspberry Pi with Bluetooth and WiFi via USB could achieve the same. As a software developer, I am not much of a hardware person. I haven't used a Raspberry Pi before. I am fluent in a number of programming languages and can work with Linux, though.

Does anyone know of USB devices that would be capable of doing this in combination with a Pi? Keep in mind that I am not interested in connecting with any device, but just want to know which devices are in the area.

Thanks for any advice!
Friso
Posts: 6
Joined: Fri Jun 14, 2013 8:58 am
by derelict » Tue Jul 23, 2013 12:42 pm
Hi

I'm in the same boat... i have 3 rpi's with cheap bluetooth dongles and a bash script basically l2ping my "predefined" devices.

did you get any further ??

This looks interesting: http://www.cooking-hacks.com/index.php/shop/raspberry-pi/bluetooth-pro-shield-for-raspberry-pi.html but expensive and only for bluetooth
Posts: 2
Joined: Thu Jun 27, 2013 1:41 pm
by frisovv » Tue Jul 23, 2013 1:22 pm
No, not much progress for me, but haven't spend a lot of time on it.

We are looking at ready made offerings as well. They are expensive, but would get us started for sure, so we can focus on software and getting a demo of what we intend to do working.

When mentioning "predefined" devices, does that mean that the rpi needs to know about your devices in advance? We are looking for something that basically just grabs MAC addresses out of the air for anything that passes.
Friso
Posts: 6
Joined: Fri Jun 14, 2013 8:58 am
by mikerr » Tue Jul 23, 2013 3:24 pm
For bluetooth the device needs to be in discoverable mode once to get its MAC (don't need to pair though)
but you can later detect it even when not in discoverable mode.

Simple methods are:

Code: Select all
hcitool scan

finds my Samsung Note2:
Code: Select all
12:34:56:78:90:00 GT-N7100

Have a look at my thread here on Bluetooth presence /distance sensing :
viewtopic.php?f=37&t=47466


For WIFI you can periodically do

Code: Select all
sudo iwlist wlan0 scan |egrep  'SSID|Address|Signal'

which will give
Code: Select all
          Cell 01 - Address: C4:3D:C7:3B:12:34
                    Quality=53/70  Signal level=-57 dBm
                    ESSID:"MWR"
          Cell 02 - Address: 2C:B0:5D:FB:67:F6
                    Quality=33/70  Signal level=-77 dBm
                    ESSID:"virginmedia1000829"
          Cell 03 - Address: 5C:7D:5E:B6:69:00
                    Quality=19/70  Signal level=-91 dBm
                    ESSID:"TALKTALK-B668F8"
          Cell 04 - Address: 7C:03:4C:A9:A0:36
                    Quality=19/70  Signal level=-91 dBm
                    ESSID:"SKY9A035"
Last edited by mikerr on Wed Jul 24, 2013 9:04 am, edited 1 time in total.
User avatar
Posts: 2417
Joined: Thu Jan 12, 2012 12:46 pm
Location: Up north , UK
by Drew » Tue Jul 23, 2013 3:51 pm
Ever heard of kismet?
http://kismetwireless.net

It is capable of passively monitoring wifi & logs to files you can use elsewhere.
It's often found pre-installed in security/ pentesting distributions, Kali linux has a version for the RPi
http://www.kali.org/downloads it should have kismet & the correct wifi drivers.

I think kismet can also do bluetooth monitoring, via a plugin but memory will be an issue on the RPi. There will be many other bluetooth logging tools installed in Kali linux. Kismet can also work as a 'drone' for a server, so the pi could return logs to a central kismet server, that could be running snort or other reporting software. It supports GPS logging too (from a gpsd device) so you can output & view logs in Google Earth etc.

You do need a wifi card that can run in monitor mode (iw list will mention the capabilities of connected devices).

Using 'iwlist scan' is an active scan - it relies on devices reporting back (hidden ap's don't reply), kismet simply monitors the data in the air (it will report hidden ap's if they get/send data).
Posts: 39
Joined: Fri Jan 20, 2012 3:50 am
by mikerr » Wed Jul 24, 2013 9:07 am
Drew wrote:Using 'iwlist scan' is an active scan - it relies on devices reporting back (hidden ap's don't reply), kismet simply monitors the data in the air (it will report hidden ap's if they get/send data).


Yep, I was posting a simple diy method - if you don't want to go the prepackaged kismet etc route.
User avatar
Posts: 2417
Joined: Thu Jan 12, 2012 12:46 pm
Location: Up north , UK
by frisovv » Wed Jul 24, 2013 9:10 am
Thanks! I will have a look at kismet. It appears to be capable of what we need.
Friso
Posts: 6
Joined: Fri Jun 14, 2013 8:58 am
by MattF » Wed Jul 24, 2013 5:34 pm
On the Bluetooth side http://freecode.com/projects/bluelog is rather better than hcitool scan
Posts: 55
Joined: Tue Feb 12, 2013 10:01 am
by Drew » Thu Jul 25, 2013 6:13 pm
Kismet is powerful, if you need help with setup I may be able to help a little :)
It may make more sense to run a kismet server on another machine & have the Pi as a drone. It really depends on what you are aiming to achieve.

I think bluelog is also installed in Kali linux (or is in the Kali repositories - just apt-get it).
Posts: 39
Joined: Fri Jan 20, 2012 3:50 am
by frisovv » Tue Jul 30, 2013 8:42 pm
I am very short on time lately, but still pursuing this. I plan to buy a rpi tomorrow (found a shop in NL that appears to have model B in stock) and take it from there.

Ultimate goal is to do data collection (MAC addresses) about any device that comes within range of the device, regardless of whether they connect. Ideally I would be able to collect a MAC address, some device type identifier (e.g. is it a phone or a car kit), signal strength and timestamp. I'll go for wifi first and add bluetooth secondly if I can.

@Drew: Do you have any tips on which type / brand of wifi dongle I should go for? I admittedly know too little about wireless network technology (I'm a software guy). If you have any references to an article / post that outlines how to use kismet for this purpose, that'd be great as well.
Friso
Posts: 6
Joined: Fri Jun 14, 2013 8:58 am
by Drew » Wed Jul 31, 2013 1:21 am
frisovv wrote:@Drew: Do you have any tips on which type / brand of wifi dongle I should go for? I admittedly know too little about wireless network technology (I'm a software guy). If you have any references to an article / post that outlines how to use kismet for this purpose, that'd be great as well.


For Kismet I think wifi cards that support monitor mode is suffice. I think it helps to have an antenna socket so you can use directional or more powerful antenna at a later date, but the power usage will mean the Pi needs a USB hub with it's own power supply.
I have an Alfa AWUS036NHA (uses ath9k_htc driver). It works OK with the Pi but sometimes the driver doesn't get loaded at boot, replugging usually fixes it. I think it could be down to my USB hub, it's usually fine if I don't have the ethernet connected. You can certainly find other cards that use a bit less power & still support monitor mode.

I use the aircrack.org compatibility page as a starting point, I suspect some of it may be out of date, it is focused on the aircrack suite which does injection & cracking, so you can ignore those features if you only want monitor mode.
http://aircrack-ng.org/doku.php?id=comp ... ty_drivers

I've seen kismet guides for Arch linux http://cyantific.de/tutorials/archlinux ... -tutorial/ <-- he made a nice case too.
Heres an example using kismet on older 'pwnpi' OS…
https://www.youtube.com/watch?v=RVVaWox ... L6FkEPouGs

I tried Kismet in Rasbian, Arch and Kali linux. Kali is probably easiest because it has all the correct software, drivers and tools you will ever need. You can also run the desktop version in a VM/ live boot incase you want to try something out on a quicker machine or test something to breaking point.

You could probably follow any 'raspberry pi wardriving' guide, just leave out the bits that mention gpsd unless you want to have GPS logging too. If kismet_server is too RAM heavy you can still monitor & parse out the various mac addresses & probe responses via tcpdump or tshark, but kismet is ideal. The manual has a bit of info on low RAM systems.
http://kismetwireless.net/documentation.shtml
Posts: 39
Joined: Fri Jan 20, 2012 3:50 am
by frisovv » Fri Aug 09, 2013 1:38 pm
Hi all,

For those still listening, I went with the following setup:
- rpi B
- Belkin USB hub (w/ power supply): http://www.belkin.com/us/p/P-F5U234
- Alfa AWUS AWUS036H + antenna: http://www.amazon.de/dp/B002BFMZR8 (amazon.de link, since that's where I ordered it)

I am not using Kali + Kismet, but the standard raspbian and tshark (apt-get install tshark). This works out of the box. Required drivers are already present. This is not the case with the Kali image, for some reason. The WiFi dongle does work with the standard AMD64 Kali image on a VM, though. Not sure why. Anyway, tshark meets my needs better, as I am not interested in the UI. Just data gathering.


Thanks for all the help!
Friso
Friso
Posts: 6
Joined: Fri Jun 14, 2013 8:58 am
by gizmotom » Mon Sep 02, 2013 4:48 am
Hi Friso

Are you sure tshark meets your need? my understanding is that you want to track devices near you? I think with tshark you can only track devices that are already connected to the wifi network? I don't think you can log mobile devices that are not connected to the network, am I wrong?

Thanks,
Posts: 1
Joined: Mon Sep 02, 2013 12:47 am
by frisovv » Mon Sep 02, 2013 9:41 am
gizmotom wrote:my understanding is that you want to track devices near you? I think with tshark you can only track devices that are already connected to the wifi network? I don't think you can log mobile devices that are not connected to the network, am I wrong?
Thanks,


tshark (with the interface in monitoring mode) also captures probing frames, which is what phones send out every now and then, even if not connected to anything. The phone does have to be activated in some way; when the screen is off, it doesn't do anything; as soon as someone activates the phone, it will start probing. This is why many shops and other venues offer free WiFi. People will use it and, as such, become easier to track in the store / place. With the Pi + a simple WiFi dongle that supports monitoring mode, you can quite easily and affordably create such a setup yourself. This is what I was trying to verify.
Friso
Posts: 6
Joined: Fri Jun 14, 2013 8:58 am
by mikerr » Wed Sep 11, 2013 9:24 am
Note iphone's tell you a bit more,

they broadcast where they have previously been too: :shock:
http://9to5mac.com/2013/01/01/isniff-gp ... -services/

https://github.com/hubert3/iSniff-GPS
User avatar
Posts: 2417
Joined: Thu Jan 12, 2012 12:46 pm
Location: Up north , UK
by 2011dkang1 » Fri Oct 25, 2013 10:18 pm
Hey Friso, can you help me set up what you did? I am working on a school project and a set up like this is exactly what we are looking for. Thanks!
Posts: 1
Joined: Fri Oct 25, 2013 10:09 pm
by finnisoestela » Wed Jan 07, 2015 7:56 pm
2011dkang1 did you ever get it going or get any response from Friso?
Posts: 1
Joined: Mon Jan 05, 2015 9:36 pm
by odonnella » Fri Feb 13, 2015 9:04 pm
Friso,

Thanks for starting this post. I am looking to do the same thing but for college dining halls. My goal is to install the device you described and then report in real time the congestion in the room. I know we will not get a perfectly accurate amount of people, but I hope it will be close enough.

Was your system able to track bluetooth as well or just wifi probing? If it was able to track both, how did you make sure not to double count the same phone?

Overall, do you think the system you described will be able to report the data in real time or do I need to modify it?

Any other advice per your experience would be helpful!

Thank you!

Adam
Posts: 1
Joined: Fri Feb 13, 2015 8:55 pm
by Goodtraxmx » Tue Jun 23, 2015 11:00 pm
Hi guys,

3 weeks ago we got broken into and had 7k worth of stuff stolen, most of it my son's birthday and Christmas presents. So it was a massive security wake up call for me as a dad and so I started searching for some monitoring devices. We now have all the traditional stuff but I came across your thread discussing monitoring and logging of devises that come into our wifi range.

Can someone either make me and idiots guide to building one or if I pay build one for me?

Hope to hear from someone soon.
Posts: 1
Joined: Thu Jun 04, 2015 10:21 pm
by PangolinPaws » Wed Jun 24, 2015 1:40 pm
Goodtraxmx wrote:Hi guys,

3 weeks ago we got broken into and had 7k worth of stuff stolen, most of it my son's birthday and Christmas presents. So it was a massive security wake up call for me as a dad and so I started searching for some monitoring devices. We now have all the traditional stuff but I came across your thread discussing monitoring and logging of devises that come into our wifi range.

Can someone either make me and idiots guide to building one or if I pay build one for me?

Hope to hear from someone soon.


That's pretty harsh, sorry to hear it.

This WiFi thing would let you record all the MAC addresses of the devices that come within range but I don't know how useful that is for security. For example, there's no way (that I know of) to look up & identify a person based on their device's MAC address.

I have messed about with this sort of thing a bit and I did half-finish a project. Some if the stuff I found might be of interest:

https://www.raspberrypi.org/forums/view ... 41&t=87807
https://github.com/PangolinPaw
User avatar
Posts: 88
Joined: Wed Mar 05, 2014 9:04 pm
Location: Wiltshire, UK
by kolloni » Thu Jul 16, 2015 12:42 pm
Hey,

I already googled but I could not find any answer for it.
Is it possible to get the signal strengh of the device which sends out a probe frame?

Thanks
Posts: 1
Joined: Thu Jul 16, 2015 12:40 pm
by badger13 » Fri Feb 19, 2016 4:03 pm
frisovv wrote:Hi all,

For those still listening, I went with the following setup:
- rpi B
- Belkin USB hub (w/ power supply): http://www.belkin.com/us/p/P-F5U234
- Alfa AWUS AWUS036H + antenna: http://www.amazon.de/dp/B002BFMZR8 (amazon.de link, since that's where I ordered it)

I am not using Kali + Kismet, but the standard raspbian and tshark (apt-get install tshark). This works out of the box. Required drivers are already present. This is not the case with the Kali image, for some reason. The WiFi dongle does work with the standard AMD64 Kali image on a VM, though. Not sure why. Anyway, tshark meets my needs better, as I am not interested in the UI. Just data gathering.


Thanks for all the help!
Friso


I know this post is a while after yours, but were you able to have any luck with Bluetooth device detection? I would like to make something exactly like yours with the same exact output, but for Bluetooth detection. Any insight would be much appreciated.
Posts: 1
Joined: Fri Feb 19, 2016 3:52 pm
by tonny.vivas » Tue Jan 03, 2017 5:47 pm
Hello everyone, I'm new with RPi and tshark. I'm trying to use tshark to see MAC addresses and their rssi or tx power, but can't seem to find the proper field name:
the command I'm using is:
sudo tshark -S -l -i wlan1 -Y 'wlan.fc.type_subtype eq 4' -T fields -E header=y -e frame.time -e wlan.sa -e wlan.sa_resolved -e wlan_mgt.ssid
And I get:
frame.time wlan.sa wlan.sa_resolved wlan_mgt.ssid
Jan 3, 2017 12:25:03.048773000 EST b8:27:eb:1a:d3:2f Raspberr_1a:d3:2f
Jan 3, 2017 12:25:03.069641000 EST b8:27:eb:1a:d3:2f Raspberr_1a:d3:2f
Jan 3, 2017 12:25:03.092482000 EST b8:27:eb:1a:d3:2f Raspberr_1a:d3:2f
Jan 3, 2017 12:25:03.155865000 EST b8:27:eb:1a:d3:2f Raspberr_1a:d3:2f
Jan 3, 2017 12:25:03.362698000 EST b8:27:eb:1a:d3:2f Raspberr_1a:d3:2f
Jan 3, 2017 12:25:03.383152000 EST b8:27:eb:1a:d3:2f Raspberr_1a:d3:2f
Jan 3, 2017 12:25:03.426263000 EST b8:27:eb:1a:d3:2f Raspberr_1a:d3:2f
Jan 3, 2017 12:25:03.496762000 EST b8:27:eb:1a:d3:2f Raspberr_1a:d3:2f
Jan 3, 2017 12:25:03.517186000 EST b8:27:eb:1a:d3:2f Raspberr_1a:d3:2f

I've tried: (with no luck)
chan.chan_tx_pow
wlan.dbm_antsignal
wlan.antenna
wlan.normrssi_antsignal
wlan.rawrssi_antsignal
wlan.signal_strength
wlancap.dbm_antsignal
wlancap.ssi_signal

Could anyone help me out?
Posts: 2
Joined: Tue Jan 03, 2017 12:52 am
by jjmeseguer » Fri Apr 07, 2017 9:07 pm
Hi
I'm doing it with:
sudo tshark -l -i wlan0 -o gui.column.format:'"MAC", "%uhs","RSSI", "%e"'
But if you are on a Raspberry Pi 3 and using the builtin wifi, you'll need to install nexmon (https://github.com/seemoo-lab/nexmon) in order to put it in monitor mode.
Regards.
Posts: 1
Joined: Fri Apr 07, 2017 9:01 pm