How to monitor packets from a MAC address

Question

I am wanting to monitor a MAC address for activity on my network using airodump-ng

I am currently:

First running this:

airodump-ng mon0 --write t

which writes to the file t-01.csv a csv with the format:

Station MAC, First time seen, Last time seen, Power, # packets, BSSID, Probed ESSIDs

then I have a bash script that does this:

while [ true ]
do
    t=`cat t-01.csv | grep '30:F1:DA:7B:F3:2C' | cut -d ',' -f5`
    if [[ "$t" != "$lt" ]]
    then
            lt="$t"
            echo "activity"
    fi
done

Which is basically watching the MAC address for a change in the # packets and when it changes it means there has been some activity. But the airodump-ng seems to have an immense lag when writing to a file (around 1-2 seconds) Is there an alternative way to do this, that is faster?

Found my answer:

https://networkengineering.stackexchange.com/questions/19737/tcpdump-filter-by-mac-address/19741#19741?newreg=8e32529cbc7c4234b3a062bb655b7e5f

I can then write a script like:

#!/bin/bash
tcpdump -i mon0 ether host "30:F1:DA:7B:F3:2C" | while read b; do
    echo "Activity!"
done

I suggest moving your answer into an answer. It's ok to answer your own question on SE. — ki9, Jan 01 '21 at 07:41

score 0 · Answer 1 · answered Jan 13 '17 at 16:48

0

Instead of cat-ing the file each time, use:

tail -f t-01.csv | grep '30:F1:DA:7B:F3:2C' | cut -d ',' -f5`

and the rest of the script is the same.

answered Jan 13 '17 at 16:48

Reggie85

9
1

does not work. and also does not output anything. – maxisme Jan 13 '17 at 17:04
removed `-f` and still equally as laggy – maxisme Jan 13 '17 at 17:09
It is not to do with the script it is todo with `airodump-ng`s `--write` which is rubbishly slow vs the GUI – maxisme Jan 14 '17 at 00:44

How to monitor packets from a MAC address

Found my answer:

1 Answers1