Solved

Wireshark and Capturing WiFi traffic

Posted on 2014-04-02
9
1,313 Views
Last Modified: 2014-05-10
Hello,

I'll be using Wireshark 1.10 on OS X to troubleshoot what I think is an infected wireless host generating enough traffic to choke a wireless access point. I've put the wireless adapter into "monitor mode" per the Wireshark wiki, but my tests on my home network still don't show activity from other hosts on the same wireless network. I know wireless access points work as a switch to isolate traffic, but I thought there was a way to capture all traffic from all hosts. Is this not possible?

Thanks!
0
Comment
Question by:Mandr1ch
  • 3
  • 3
  • 2
9 Comments
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39973554
This is a limitation of the wireless driver for your network card. You can bypass this by buying some sort of Sniffer program, like Air Pcap 8http://www.riverbed.com/products-solutions/products/network-performance-management/wireshark-enhancement-products/Wireless-Traffic-Packet-Capture.html) - or if possible, you can check if your AP have som possibility to capture traffic for you --- some high-end APs can.

or - if you suspect a bad station: do you have control over all devices? if so - change password or SSID of wireless network. So all devices are disconnected. Reconnect devices one by one, also giving them some time to settle in, and see when AP goes down.

or - it might also be neighbouring APs - download inSSIDer, www.metageek.net and see if any other APs are interfering with you AP (802.11g/n have only 3 non-overlapping channels)
0
 
LVL 35

Accepted Solution

by:
Kimputer earned 500 total points
ID: 39973582
To capture all Wi-Fi traffic, you actually need either, an old hub, or a managed switch with port mirroring capabilities, and place that just after the access point (access point - hub or switch - resume old network topology). Then use a laptop with network cable on that hub or switch to capture the traffic.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39974515
Capturing Wifi traffic isn't the same as capturing what comes out of the Access Point's wired port.  We want to sniff wireless packets here which are seen by clients over-the-air.

@Mandr1ch - have a look here...

http://superuser.com/questions/150250/capturing-wireless-traffic-using-wireshark

Make sure you're next to (or close to) the AP you're trying to troubleshoot, or the client you're suspecting.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 39974766
While capturing  the wired port of the access point technically isn't the same as what the original poster wanted, it serves as a backup solution if monitoring isn't sufficient (and sometimes can't even get it to work). Capturing the wired port doesn't capture wifi to wifi, but definitely all outgoing traffic, and also gives you more information (monitoring only sees unidentifiable packets, while capturing the wired port will provide you FULL tcp/udp traffic and whole conversations, as I don't suspect promiscuous mode is available on the current wifi client he's using).
With monitoring you can see packets flying around, and maybe you can calculate some bandwidth, but with real packet capturing, you could see if there's portscanning going on, outgoing SMTP traffic, or strange DNS behaviour.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39974861
With respect, Kimputer, the OP says this...
I'll be using Wireshark 1.10 on OS X to troubleshoot what I think is an infected wireless host generating enough traffic to choke a wireless access point.
You can't do that by capturing traffic on the wired port, as you can't guarantee that the suspect traffic will be passed to the wire.

As an example, malformed management frames won't be seen on the wire, yet this could have a catastrophic effect on client connectivity over the air.  This could be seen as choking the AP.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 39974908
I have yet to see any self respecting malware who DOESN'T want to get on the internet. To get to the internet, you usually have to pass through the wired port of an access point.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39975014
You are correct, but you misunderstand the requirement.  The OP has clearly detailed the desire to sniff wireless packets, while your suggestion is monitoring wired traffic on the assumption that the issue IS malware.

Put simply, you're talking about mirroring traffic on the switch, and that's not what the OP details.  You don't put a WLAN NIC in monitor mode on a wired LAN - that's a physical impossibility.

What I'm suggesting is exactly what the OP asked, and my suggestion that management frames could be malformed as an example is exactly within the requirement based on the OP.  Certain types of wireless (not IP) frames remain within the RF/AP boundary and never exist on the wired network, therefore the only option to determine if there's a WIRELESS problem which is causing the 'choke' is to sniff the wireless packets.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39975114
@Craigbeck is right. You need to sniff packages wireless to be able to troubleshoot poor wireless performance, overloaded APs ---
there might be a DoS attack sending deauth frames disconnecting clients, or all other rf frames (associate/authenticate/reauth ++)
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now