Solved

Wireshark and Capturing WiFi traffic

Posted on 2014-04-02
9
1,395 Views
Last Modified: 2014-05-10
Hello,

I'll be using Wireshark 1.10 on OS X to troubleshoot what I think is an infected wireless host generating enough traffic to choke a wireless access point. I've put the wireless adapter into "monitor mode" per the Wireshark wiki, but my tests on my home network still don't show activity from other hosts on the same wireless network. I know wireless access points work as a switch to isolate traffic, but I thought there was a way to capture all traffic from all hosts. Is this not possible?

Thanks!
0
Comment
Question by:Mandr1ch
  • 3
  • 3
  • 2
9 Comments
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39973554
This is a limitation of the wireless driver for your network card. You can bypass this by buying some sort of Sniffer program, like Air Pcap 8http://www.riverbed.com/products-solutions/products/network-performance-management/wireshark-enhancement-products/Wireless-Traffic-Packet-Capture.html) - or if possible, you can check if your AP have som possibility to capture traffic for you --- some high-end APs can.

or - if you suspect a bad station: do you have control over all devices? if so - change password or SSID of wireless network. So all devices are disconnected. Reconnect devices one by one, also giving them some time to settle in, and see when AP goes down.

or - it might also be neighbouring APs - download inSSIDer, www.metageek.net and see if any other APs are interfering with you AP (802.11g/n have only 3 non-overlapping channels)
0
 
LVL 35

Accepted Solution

by:
Kimputer earned 500 total points
ID: 39973582
To capture all Wi-Fi traffic, you actually need either, an old hub, or a managed switch with port mirroring capabilities, and place that just after the access point (access point - hub or switch - resume old network topology). Then use a laptop with network cable on that hub or switch to capture the traffic.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39974515
Capturing Wifi traffic isn't the same as capturing what comes out of the Access Point's wired port.  We want to sniff wireless packets here which are seen by clients over-the-air.

@Mandr1ch - have a look here...

http://superuser.com/questions/150250/capturing-wireless-traffic-using-wireshark

Make sure you're next to (or close to) the AP you're trying to troubleshoot, or the client you're suspecting.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 39974766
While capturing  the wired port of the access point technically isn't the same as what the original poster wanted, it serves as a backup solution if monitoring isn't sufficient (and sometimes can't even get it to work). Capturing the wired port doesn't capture wifi to wifi, but definitely all outgoing traffic, and also gives you more information (monitoring only sees unidentifiable packets, while capturing the wired port will provide you FULL tcp/udp traffic and whole conversations, as I don't suspect promiscuous mode is available on the current wifi client he's using).
With monitoring you can see packets flying around, and maybe you can calculate some bandwidth, but with real packet capturing, you could see if there's portscanning going on, outgoing SMTP traffic, or strange DNS behaviour.
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39974861
With respect, Kimputer, the OP says this...
I'll be using Wireshark 1.10 on OS X to troubleshoot what I think is an infected wireless host generating enough traffic to choke a wireless access point.
You can't do that by capturing traffic on the wired port, as you can't guarantee that the suspect traffic will be passed to the wire.

As an example, malformed management frames won't be seen on the wire, yet this could have a catastrophic effect on client connectivity over the air.  This could be seen as choking the AP.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 39974908
I have yet to see any self respecting malware who DOESN'T want to get on the internet. To get to the internet, you usually have to pass through the wired port of an access point.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39975014
You are correct, but you misunderstand the requirement.  The OP has clearly detailed the desire to sniff wireless packets, while your suggestion is monitoring wired traffic on the assumption that the issue IS malware.

Put simply, you're talking about mirroring traffic on the switch, and that's not what the OP details.  You don't put a WLAN NIC in monitor mode on a wired LAN - that's a physical impossibility.

What I'm suggesting is exactly what the OP asked, and my suggestion that management frames could be malformed as an example is exactly within the requirement based on the OP.  Certain types of wireless (not IP) frames remain within the RF/AP boundary and never exist on the wired network, therefore the only option to determine if there's a WIRELESS problem which is causing the 'choke' is to sniff the wireless packets.
0
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39975114
@Craigbeck is right. You need to sniff packages wireless to be able to troubleshoot poor wireless performance, overloaded APs ---
there might be a DoS attack sending deauth frames disconnecting clients, or all other rf frames (associate/authenticate/reauth ++)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now