How to Detect a Suspicious Traffic in a Wireless Network with WifiBeat

How to Detect a Suspicious Traffic in a Wireless Network with WifiBeat

In this article, we’ll talk about WiFiBeat, an agent that can send 802.11 frames to Elasticsearch, where we can analyze, build, and detect attacks. All this system is built entirely on Open Source OS.


Official website of the utility

  • WiFiBeat allows you to work with a Wi-Fi adapter in monitor mode, create objects from JSON frames and send to the database of the analytical engine Elasticsearch. In addition, WiFiBeat can read frames from a PCAP file.
  • The analysis of the collected information occurs in another free product from Elastic – Kibana visualizer.

Wifi Beat Photo 1

  • WiFiBeat officially works stably on Ubuntu 16.04, but, of course, it can be run on other distributions, but there may be difficulties with the dependencies and inconsistency of the versions of the libraries under which the utility was written. We will use 64-bit Ubuntu 16.04, which is connected to the USB Wi-Fi adapter TP-LINK TL-WN722N in monitor mode, to launch WiFiBeat.
  • Elasticsearch and Kibana will be deployed on 64-bit Debian 9.

Installation of WiFiBeat

The installation process is described in detail on the GitHub.

Installing libtins

tar -zxf v3.5.tar.gz
cd libtins-3.5
apt-get install libpcap-dev libssl-dev build-essential libboost-all-dev
mkdir build
cd build
cmake ../ -DLIBTINS_ENABLE_CXX11=1
make install

Install the missing packages in the system

apt-get install libyaml-cpp-dev libpoco-dev rapidjson-dev libtsan0 libboost-all-dev libb64-dev libwireshark-data build-essential libnl-3-dev libnl-genl-3-dev libnl-idiag-3-dev

Install Codelite for building WiFiBeat

apt-get install codelite codelite-plugins

Run code lite and create a new workspace

Wifi Beat Photo 2

C ++ type

Wifi Beat Photo 3

Remember the directory

Wifi Beat Photo 4

When a workspace is created, go to the directory and download WiFiBeat and libraries with GitHub.

cd /root/WiFiBeat
git clone
git clone
git clone

Add all 3 projects to our workspace in codelite

Wifi Beat Photo 5

Wifi Beat Photo 6

The result should be the following

Wifi Beat Photo 7

After double clicking on wifebeat in the list of projects, it should stand out

Wifi Beat Photo 8

Right click on wifibeat choose to Build

Wifi Beat Photo 9

Select the compiler if it was not selected, and again Build

Wifi Beat Photo 10

If all the dependencies are installed in the system and you did everything correctly before that, then at the end of the compilation process you will see a message about no errors.

====0 errors, 2 warnings, total time: 00:01:13 seconds====


  • The installation process for Elasticsearch and Kibana will not be discussed in this article. On this subject, there is enough material on the network.
  • We assume that they work on the machine with IP Address192.168.1.30 and WiFiBeat on the machine Elasticsearch listens on HTTP port 9200 and does not require authentication.
  • To the machine, We connected the Wi-Fi adapter and put it into monitor mode.
    In the system, it is displayed as mon0.
  • From the directory with WiFiBeat, copy the configuration file to etc and edit it.
cp wifibeat.yml /etc
vi /etc/wifibeat.yml
  • This file is well documented, briefly go through the main options.
  • We are going to analyze the traffic of one network operating on the fifth channel of the 2.4 GHz band.
  • Therefore, I leave one entry in the interface settings. It is possible to analyze several channels at once and to set the listening time for each.
        mon0: [5]
  • Deleting everything from the Output file section
  • In the section with CPAP-filters, we will set the following
                mon0: type mgt
  • The filters are specified as in Wireshark, and in this case, I indicate that I’m only interested in Management Frames 802.11.

These include:

  1. Authentication frame
  2. Deauthentication frame
  3. Association request frame
  4. Association response frame
  5. Reassociation request frame
  6. Reassociation response frame
  7. Disassociation frame
  8. Beacon frame
  9. Probe request frame
  10. Probe response frame
  11. Request to Send (RTS) frame
  12. Clear to Send (CTS) frame
  13. Acknowledgment (ACK) frame
  • In the Local file and Decryption sections, we have commented out all the keys, we do not need encryption keys in my example and we will not read from the PCAP file either.
  • In the Queues section, we will not change anything, and in the Outputs section, set the address and port of Elasticsearch.
  enabled: true
  protocol: "http"
  # Array of hosts to connect to.
  hosts: [ "" ]
  • Save and go to the directory with WiFiBeat and the Debug subdirectory. There must be a compiled wife beat executable.


  • We launch Elasticsearch and Kibana on the machine We are sure that the port 9200 (Elasticsearch) and Kibana (5601) are being listened.
  • On the machine, we check that we did not make any configuration errors
./wifibeat -d
  • You should see the parsing of the configuration file. If there are errors, wife beat will report the problem. If all is well, then we launch
./wifibeat -f
  • The -f switch allows you to run wife beat, not in daemon mode. For us, it is more convenient.
  • Now if you open Kibana and check the indexes, you should see that there is a new wifebeat index

Wifi Beat Photo 11

Let’s configure Kibana. Go to Management, Index Patterns

Wifi Beat Photo 12

Create a new template

Wifi Beat Photo 13

Wifi Beat Photo 14

We mark it as the main

Now we import Dashboards and Visualizations that come with WiFiBeat

Wifi Beat Photo 15

Wifi Beat Photo 16

Choose the file kabana.json from the directory WiFiBeat/kibana

If the import was successful, you can go to the Dashboard tab and find the WLAN there

Wifi Beat Photo 17

If you do not use filters in wifebeat.yml, it will look like this

Wifi Beat Photo 18

With filters (in our case), we will not see data on Control Frames and Data Frames.

In addition to dashboards, we have new visualizations

Wifi Beat Photo 19

Wifi Beat Photo 20


Then, with the help of another component of the Elastic-X-Pack, you can configure actions to detect, say, a burst of de-authentication frames, which can mean a DoS attack or an attempt to get a handheld for brute force. In this way, you can assemble a system for detecting attacks on a wireless network.