5

System Setup:

  1. MacBook Air running Mountain Lion and connected wirelessly to a router.
  2. Wireshark installed and capturing packets (I have "capture all in promiscuous mode" checked)
  3. I filter out all packets with my source and destination IP using the following filter (ip.dst != 192.168.1.104 && ip.src != 192.168.1.104)
  4. On the same network as the MacBook, I use an Android device (connecting via WiFi) to make HTTP requests.

Expected Results:

  1. Wireshark running on the MacBook sees the HTTP request from the Android device.

Actual Results:

  1. I only see SSDP broadcasts from 192.168.1.1

Question:
What do I need to do so that Wireshark, like Firesheep, can see and use the packets (particularly HTTP) from other network devices on the same network?


UPDATE

  1. How can I capture other computers traffic in Wireshark on a WiFi-network? seems to imply that it is not possible
  2. This seems to describe my problem: http://seclists.org/wireshark/2010/Jan/70
  3. I am confident the network interface is in promisc mode because when I run ifconfig I get en0: flags=8967<UP,BROADCAST,DEBUG,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
Improve this question

3 Answers 3

Reset to default
1

If you are not connected via ethernet to you home router, most likely that home router than the home router uses a switch for its LAN ports and not a hub, thus each port has its own collision domain, whereas in a hub the collision domain is shared among all the ports and you would see all traffic on every port.

If you are connected wirelessly, there may be a few issues. First, certain wireless cards' drivers do not support being put into promiscous mode. Nothing can be done about that unless you want to write your own. Second, if your network is encrypted and you are only seeing layer 2 traffic from various sources and not the higher layer protocols expected (which doesn't appear to be the case), then you must enter the WEP key into wireshark so it can handle the decryption. WPA and WPA2 decryption get more complicated, as older versions of wireshark do not support it, and if it is supported, then you must capture the entire handshake taking place between the router and the device (EAPOL packets), as unique keys are generated between the device and router.

Improve this answer
3
  • I am connected wirelessly and I am authenticated using WPA onto the network. I still do not see the packets from other authenticated devices on the network. Do I need to impersonate the IP or MacAddress of the other machines?
    – eb80
    Commented Oct 31, 2012 at 14:57
  • 1
    No, you do not need to spoof your MAC or IP. Go to wiki.wireshark.org/HowToDecrypt802.11 and ensure that you have setup the decryption correctly. If it is setup incorrectly, you'll only see encrypted traffic at the layer 2 level. Also you must capture the eapol handshake (you can filter eapol packets) for wireshark to decrypt on the fly, so cycle turn off and back on the wifi of the device you are trying to capture. Some helpful details here, but for a linux box: wolfhoundsec.blogspot.com/2010/06/…. Finally, have a ws version past 0.99.5.
    – Fred Thomsen
    Commented Nov 1, 2012 at 1:24
  • errrr... I just spent an hour on this and I still cannot get it to work. 1. I checked by filtering "eapol" and I see four packet frames. 2. I added my WPA-PWD info to the keys 3. I toggled all different combinations of FCS and protection bit 4. I am using Wireshark 1.8.3..... what else am I missing?
    – eb80
    Commented Nov 3, 2012 at 21:35
1

To capture Wi-Fi traffic of other systems you will have to put your network adapter in monitor mode, this is a requirement specific to Wi-Fi. In Windows, that means buying a special adapter like AirPcap. For Linux use airmon-ng. In the MacBook I am not sure how, but see a lot of Google hits on the subject. It is also true that you want to be in promiscuous mode, but the hub thing is only needed for ethernet.

I put my NIC into monitor mode and I could see lots of other traffic around, but still I could not see HTTP/SMTP/etc. application-level traffic from my local WiFi network.

At the application level the traffic will be encrypted just as Fred Thomsen says in his post. You will need to research how to setup WireShark and your AP to decrypt this traffic.

Improve this answer
2
  • I spent a while Googling this and I also used TCPDump from the command line. I simply could not get my NIC to recognize wireless traffic from other hosts on the same wireless network. I put my NIC into monitor mode and I could see lots of other traffic around, but still I could not see HTTP/SMTP/etc. application-level traffic from my local WiFi network. Any other ideas?
    – eb80
    Commented Oct 31, 2012 at 20:40
  • As Matt Shirilla said, "At the application level the traffic will be encrypted just as Fred Thomsen says in his post. You will need to research how to setup WireShark and your AP to decrypt this traffic." See the Wireshark Wiki "How to decrypt 802.11" page.
    – user164970
    Commented Dec 30, 2013 at 18:54
0

If your Macbook is connected by Ethernet to the WiFi router then this could be the reason:

Probably the WiFi router is acting as a switch (and not a hub). And hence the MacBook is not seeing the HTTP packets at all.

Improve this answer
2
  • I am connected via wireless (interface en0) to the WiFi router.
    – eb80
    Commented Oct 31, 2012 at 3:46
  • how do I get the MacBook to act as a hub then?
    – eb80
    Commented Oct 31, 2012 at 3:50

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .