I've installed Wireshark and configured it to let my user run it with all needed privileges (I enabled dumpcap and added my user to wireshark group, then restarted).

Devices are shown and capture starts well. The problem is that only packets sent to and directed to the PC where Wireshark is running are captured. Obviously I enabled Promiscuous mode in the capture options dialog.

For example, if I run Wireshark and then surf the web on Firefox, packets are captured. If I start browsing with my smartphone, instead, no packet is captured (PC and smartphone are connected to the same domestic WiFi network).

I'm working with a WiFi device wlan0 with ath9k drivers. Here you are the output of ifconfig wlan0 and lspci | grep Wireless:

lorenzo@XUBUNTU:~$ ifconfig wlan0
wlan0     Link encap:Ethernet  HWaddr 5c:ac:4c:32:dc:1d  
          indirizzo inet:  Bcast:  Maschera:
          indirizzo inet6: fe80::5eac:4cff:fe32:dc1d/64 Scope:Link
          RX packets:1585 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1782 errors:0 dropped:0 overruns:0 carrier:0
          collisioni:0 txqueuelen:1000 
          Byte RX:970355 (970.3 KB)  Byte TX:401610 (401.6 KB)

lorenzo@XUBUNTU:~$ lspci | grep Wireless
03:00.0 Network controller: Atheros Communications Inc. AR9287 Wireless Network Adapter (PCI-Express) (rev 01)

What I want to achieve is to examine the network traffic of my smartphone using my PC running Wireshark, both connected to the same personal domestic WiFi access point.

Using a wired connection would be the simplest way to do this.

I will assume you are not using WEP as it would "just work", so you must be using WPA. Wireshark cannot decrypt WPA packets automatically, it needs to know the pre-shared key (PSK) configured in the wifi setup.

In wireshark, go to the View menu, and choose Wireless Toolbar. Then click Keys and enter the SSID and PSK for your local network. Select this in the Toolbar once entered, and use wireshark as your decrypter.

Then you can begin capturing. Note that in order to decrypt another devices packets, wireshark needs to see the full EOPOL handshake. The best way to do this is to disable and re-enable wireless on the smartphone once the capture has started.

  • I cannot use a wired connection with the smartphone :D And yes, I am using WPA (I will try switch temporarly to WEP, but I'm interesed to make it work with WPA). Thank you, I will try those Wireshark settings ASAP, I'm not at home right now. But, that means that the sniffer PC has to be disconnected from the inspected wireless network during sniffing?
    – lorenzo-s
    Commented Dec 29, 2011 at 10:34
  • @lorenzo-s No, it should work connected, but try both, some parts of how all this works are dependent on the driver implementation. Also give airpcap a go as an alternative to wireshark doing the decryption (wireshark will detect its presence and can configure it)
    – Paul
    Commented Dec 29, 2011 at 10:44
  • just disable the encryption and try. Commented Dec 29, 2011 at 12:37

A wireless network doesn't work like a wired one. You will receive from the router only the packets sent to your own PC. You have to understand that the frequencies and other physical transport parameters used by your phone are not necessarily the same as the one used by your PC, that both streams are probably encrypted, etc. You can always try to monitor everything using tools like airodump or Kismet, but it doesn't mean you'll be able to get something usable out of this. The only reliable way to sniff traffic of your phone from your PC is to look at it directly inside the router (which sees the whole network). Hope that helps.

  • Putting my wlan0 interface in monitor mode using ifconfig wlan0 down; iwconfig wlan0 mode monitor; ifconfig wlan0 up I can see traffic from and to my smartphone, but encrypted and together with all visible WiFi access points (that are a lot in my house)! I think that's the same I can do with airdump, not? I can filter them, sure, but then I also have to decrypt them later. Additionally, this method don't let me connect to my own network until I switch back to iwconfig wlan0 mode managed.
    – lorenzo-s
    Commented Dec 29, 2011 at 10:39
    @lorenzo-s: An interface cannot be in two modes at once. However, you can sometimes have two interfaces referring to the same physical device... the iw tool can create and delete wireless interfaces manually, and airmon-ng automates this. Commented Dec 29, 2011 at 12:39

Promiscuous mode is not what you think it is on a modern Ethernet network that uses a star topology with switches. Wireless 802.11 is a point-to-multipoint configuration. Wired 802.3 is typically point-to-point when using switches. A host will only receive frames addressed to it or frames that were broadcast or multicast; a host will not be able to receive unicast packets not addressed to it once the switch learns the port for that address. If you want to see all the Ethernet frames going by, then your Ethernet port has to be in Promiscuous mode and connected to a hub (not a switch). Beware that some late model "hubs" are actually switches; there's a page at the wireshark site that has more info on this topic.

One way to capture most of the Ethernet traffic would be to install an Ethernet hub in between the cable/ADSL modem/router and the wireless access point. Connect a PC hosting wireshark to the hub, and you'll be able to capture all traffic between router and WAP. If your modem/router and WAP are combined into a single unit, then you would have to obtain another wireless access point to set this up. You have to setup wireshark as a man-in-the-middle to listen in on all the local Internet traffic.

WAN--- modem/router ------ HUB ----- wireless access   ~~~~   smartphone
                            |              point
  • I know about Ethernet topologies, switches, hub, etc etc, and why on switched network it's impossible to sniff packets without using the man-in-the-middle trick. What I did not know was why packet sniffing does not work on wireless network just as in a point-to-multipoint cabled network. Your solution it's out of my possibilities because I do not have an hub, and modem, router and WiFi access point are physically on the same Linksys device. Anyway, thank you very much for your help explaining the problem.
    – lorenzo-s
    Commented Dec 30, 2011 at 0:47

What I did not know was why packet sniffing does not work on wireless network just as in a point-to-multipoint cabled network.

Because WEP and WPA/WPA2 were explicitly designed to make it not work! Traffic is encrypted to keep arbitrary people from being able to watch traffic on wireless networks. In order to decrypt that traffic (which you'll have to capture in monitor mode), see the Wireshark wiki entry on decrypting 802.11 traffic.


While searching for a solution I found the following setup for sniffing the wireless connection of a smartphone, maybe this helps:



