Wireshark and Capturing WiFi traffic

Hello,

I'll be using Wireshark 1.10 on OS X to troubleshoot what I think is an infected wireless host generating enough traffic to choke a wireless access point. I've put the wireless adapter into "monitor mode" per the Wireshark wiki, but my tests on my home network still don't show activity from other hosts on the same wireless network. I know wireless access points work as a switch to isolate traffic, but I thought there was a way to capture all traffic from all hosts. Is this not possible?

Thanks!
Mandr1chAsked:
Who is Participating?
 
KimputerConnect With a Mentor Commented:
To capture all Wi-Fi traffic, you actually need either, an old hub, or a managed switch with port mirroring capabilities, and place that just after the access point (access point - hub or switch - resume old network topology). Then use a laptop with network cable on that hub or switch to capture the traffic.
0
 
Jakob DigranesSenior ConsultantCommented:
This is a limitation of the wireless driver for your network card. You can bypass this by buying some sort of Sniffer program, like Air Pcap 8http://www.riverbed.com/products-solutions/products/network-performance-management/wireshark-enhancement-products/Wireless-Traffic-Packet-Capture.html) - or if possible, you can check if your AP have som possibility to capture traffic for you --- some high-end APs can.

or - if you suspect a bad station: do you have control over all devices? if so - change password or SSID of wireless network. So all devices are disconnected. Reconnect devices one by one, also giving them some time to settle in, and see when AP goes down.

or - it might also be neighbouring APs - download inSSIDer, www.metageek.net and see if any other APs are interfering with you AP (802.11g/n have only 3 non-overlapping channels)
0
 
Craig BeckCommented:
Capturing Wifi traffic isn't the same as capturing what comes out of the Access Point's wired port.  We want to sniff wireless packets here which are seen by clients over-the-air.

@Mandr1ch - have a look here...

http://superuser.com/questions/150250/capturing-wireless-traffic-using-wireshark

Make sure you're next to (or close to) the AP you're trying to troubleshoot, or the client you're suspecting.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
KimputerCommented:
While capturing  the wired port of the access point technically isn't the same as what the original poster wanted, it serves as a backup solution if monitoring isn't sufficient (and sometimes can't even get it to work). Capturing the wired port doesn't capture wifi to wifi, but definitely all outgoing traffic, and also gives you more information (monitoring only sees unidentifiable packets, while capturing the wired port will provide you FULL tcp/udp traffic and whole conversations, as I don't suspect promiscuous mode is available on the current wifi client he's using).
With monitoring you can see packets flying around, and maybe you can calculate some bandwidth, but with real packet capturing, you could see if there's portscanning going on, outgoing SMTP traffic, or strange DNS behaviour.
0
 
Craig BeckCommented:
With respect, Kimputer, the OP says this...
I'll be using Wireshark 1.10 on OS X to troubleshoot what I think is an infected wireless host generating enough traffic to choke a wireless access point.
You can't do that by capturing traffic on the wired port, as you can't guarantee that the suspect traffic will be passed to the wire.

As an example, malformed management frames won't be seen on the wire, yet this could have a catastrophic effect on client connectivity over the air.  This could be seen as choking the AP.
0
 
KimputerCommented:
I have yet to see any self respecting malware who DOESN'T want to get on the internet. To get to the internet, you usually have to pass through the wired port of an access point.
0
 
Craig BeckCommented:
You are correct, but you misunderstand the requirement.  The OP has clearly detailed the desire to sniff wireless packets, while your suggestion is monitoring wired traffic on the assumption that the issue IS malware.

Put simply, you're talking about mirroring traffic on the switch, and that's not what the OP details.  You don't put a WLAN NIC in monitor mode on a wired LAN - that's a physical impossibility.

What I'm suggesting is exactly what the OP asked, and my suggestion that management frames could be malformed as an example is exactly within the requirement based on the OP.  Certain types of wireless (not IP) frames remain within the RF/AP boundary and never exist on the wired network, therefore the only option to determine if there's a WIRELESS problem which is causing the 'choke' is to sniff the wireless packets.
0
 
Jakob DigranesSenior ConsultantCommented:
@Craigbeck is right. You need to sniff packages wireless to be able to troubleshoot poor wireless performance, overloaded APs ---
there might be a DoS attack sending deauth frames disconnecting clients, or all other rf frames (associate/authenticate/reauth ++)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.