Packet Sniffing

Capturing MAVLink packets transmitted over the air to analyze drone communications.

Damn Vulnerable Drone > Attack Scenarios > Reconnaissance > Packet Sniffing

Description

MAVLink packet sniffing involves intercepting the MAVLink messages exchanged between UAVs (Unmanned Aerial Vehicles) and ground control stations or between UAVs in a network.

By analyzing the captured packets, you can gain insights into the drone's operational status, commands being sent or received, and how the system handles various data types.

Resources

Wireshark

⚠️ Solution Guide (Non-WiFi Mode)

Step 1. Install Wireshark

We will be using Wireshark to analyze the real-time MAVLink traffic. This should already be installed with your Kali Linux distribution. If not, you can install it from:

https://www.wireshark.org/download.html

Step 2. Install MAVLink on Kali

Install MAVLink following the official guide:

https://mavlink.io/en/getting_started/installation.html

sudo apt install python3 python3-pip
git clone https://github.com/mavlink/mavlink.git --recursive
cd mavlink
python3 -m venv mavenv
source mavenv/bin/activate
pip install -r pymavlink/requirements.txt

Step 3. Build MAVLink Libraries

Generate the MAVLink WLua libraries:

python3 -m pymavlink.tools.mavgen --lang=WLua --wire-protocol=2.0 --output=mavlink_2_common message_definitions/v1.0/ardupilotmega.xml

IMPORTANT MAVLINK_2_COMMON.LUA BUG FIX

The current mavgen script above has a bug in it that will prevent Wireshark from parsing the lua script. Please follow the below instructions to fix it.

You will need to open your mavlink_2_common.lua file and make one change to it:

Change this line #9344


f.CAMERA_IMAGE_CAPTURED_capture_result = ProtoField.new("capture_result (MAV_BOOL)", "mavlink_proto.CAMERA_IMAGE_CAPTURED_capture_result", ftypes.INT8, nil, base.HEX_DEC)

To this


f.CAMERA_IMAGE_CAPTURED_capture_result = ProtoField.new("capture_result (MAV_BOOL)", "mavlink_proto.CAMERA_IMAGE_CAPTURED_capture_result", ftypes.INT8, nil, base.DEC)

Step 4. Update Wireshark Plugin

Update the plugin to specify MAVLink UDP ports. The last few lines of the plugin file specify the ports to be monitored:

local udp_dissector_table = DissectorTable.get("udp.port")
udp_dissector_table:add(14550, mavlink_proto)
udp_dissector_table:add(14580, mavlink_proto)
udp_dissector_table:add(18570, mavlink_proto)

Step 5. Import Plugin into Wireshark

Copy mavlink_2_common.lua to the Wireshark plugin directory. Possible paths include:

/usr/lib/x86_64-linux-gnu/wireshark
/usr/lib/aarch64-linux-gnu/wireshark
~/.local/lib/wireshark/plugins
~/.wireshark/plugins

Then open Wireshark and go to:
Help → About Wireshark → Plugins to verify it’s loaded.

Step 6. Start Wireshark

Launch Wireshark and select the appropriate interface. You should begin seeing MAVLink packets in real-time.

⚠️ Solution Guide (WiFi Mode)

Step 1. Obtain WEP Password

Use the output of Wireless Analysis & Cracking to obtain the WEP key.

Step 2. Install Wireshark

Follow the same instructions as above.

Step 3. Install MAVLink on Kali

sudo apt install python3 python3-pip
git clone https://github.com/mavlink/mavlink.git --recursive
cd mavlink
python3 -m venv mavenv
source mavenv/bin/activate
pip install -r pymavlink/requirements.txt

Step 4. Build MAVLink Libraries

python3 -m pymavlink.tools.mavgen --lang=WLua --wire-protocol=2.0 --output=mavlink_2_common message_definitions/v1.0/ardupilotmega.xml

IMPORTANT MAVLINK_2_COMMON.LUA BUG FIX

The current mavgen script above has a bug in it that will prevent Wireshark from parsing the lua script. Please follow the below instructions to fix it.

You will need to open your mavlink_2_common.lua file and make one change to it:

Change this line #9344


f.CAMERA_IMAGE_CAPTURED_capture_result = ProtoField.new("capture_result (MAV_BOOL)", "mavlink_proto.CAMERA_IMAGE_CAPTURED_capture_result", ftypes.INT8, nil, base.HEX_DEC)

To this


f.CAMERA_IMAGE_CAPTURED_capture_result = ProtoField.new("capture_result (MAV_BOOL)", "mavlink_proto.CAMERA_IMAGE_CAPTURED_capture_result", ftypes.INT8, nil, base.DEC)

Step 5. Update Wireshark Plugin

The last few lines of the plugin file mavlink_2_common.lua specify the ports to be monitored.

local udp_dissector_table = DissectorTable.get("udp.port")
udp_dissector_table:add(14550, mavlink_proto)
udp_dissector_table:add(14580, mavlink_proto)
udp_dissector_table:add(18570, mavlink_proto)

Step 6. Import Plugin into Wireshark

/usr/lib/x86_64-linux-gnu/wireshark
/usr/lib/aarch64-linux-gnu/wireshark
~/.local/lib/wireshark/plugins
~/.wireshark/plugins

Confirm plugin is listed in
Help → About Wireshark → Plugins.

Step 7. Start Wireshark

Select your connected interface and begin capturing. MAVLink packets will appear in the stream.

Step 8. Apply Decryption Settings

Use the WEP key (1234567890) to decrypt packets:

Open Wireshark
Go to Edit → Preferences
Expand Protocols → Select IEEE 802.11
Click the Decryption Keys tab
Edit Key #1 and enter: 1234567890
Click OK
Begin capturing — Wireshark will decrypt packets automatically

Packet Sniffing

Description

Resources

Step 1. Install Wireshark

Step 2. Install MAVLink on Kali

Step 3. Build MAVLink Libraries

IMPORTANT MAVLINK_2_COMMON.LUA BUG FIX

Step 4. Update Wireshark Plugin

Step 5. Import Plugin into Wireshark

Step 6. Start Wireshark

Step 1. Obtain WEP Password

Step 2. Install Wireshark

Step 3. Install MAVLink on Kali

Step 4. Build MAVLink Libraries

IMPORTANT MAVLINK_2_COMMON.LUA BUG FIX

Step 5. Update Wireshark Plugin

Step 6. Import Plugin into Wireshark

Step 7. Start Wireshark

Step 8. Apply Decryption Settings

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally