Solved

Wireshark and Capturing WiFi traffic

Posted on 2014-04-02
9
1,520 Views
Last Modified: 2014-05-10
Hello,

I'll be using Wireshark 1.10 on OS X to troubleshoot what I think is an infected wireless host generating enough traffic to choke a wireless access point. I've put the wireless adapter into "monitor mode" per the Wireshark wiki, but my tests on my home network still don't show activity from other hosts on the same wireless network. I know wireless access points work as a switch to isolate traffic, but I thought there was a way to capture all traffic from all hosts. Is this not possible?

Thanks!
0
Comment
Question by:Mandr1ch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
9 Comments
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39973554
This is a limitation of the wireless driver for your network card. You can bypass this by buying some sort of Sniffer program, like Air Pcap 8http://www.riverbed.com/products-solutions/products/network-performance-management/wireshark-enhancement-products/Wireless-Traffic-Packet-Capture.html) - or if possible, you can check if your AP have som possibility to capture traffic for you --- some high-end APs can.

or - if you suspect a bad station: do you have control over all devices? if so - change password or SSID of wireless network. So all devices are disconnected. Reconnect devices one by one, also giving them some time to settle in, and see when AP goes down.

or - it might also be neighbouring APs - download inSSIDer, www.metageek.net and see if any other APs are interfering with you AP (802.11g/n have only 3 non-overlapping channels)
0
 
LVL 36

Accepted Solution

by:
Kimputer earned 500 total points
ID: 39973582
To capture all Wi-Fi traffic, you actually need either, an old hub, or a managed switch with port mirroring capabilities, and place that just after the access point (access point - hub or switch - resume old network topology). Then use a laptop with network cable on that hub or switch to capture the traffic.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39974515
Capturing Wifi traffic isn't the same as capturing what comes out of the Access Point's wired port.  We want to sniff wireless packets here which are seen by clients over-the-air.

@Mandr1ch - have a look here...

http://superuser.com/questions/150250/capturing-wireless-traffic-using-wireshark

Make sure you're next to (or close to) the AP you're trying to troubleshoot, or the client you're suspecting.
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 36

Expert Comment

by:Kimputer
ID: 39974766
While capturing  the wired port of the access point technically isn't the same as what the original poster wanted, it serves as a backup solution if monitoring isn't sufficient (and sometimes can't even get it to work). Capturing the wired port doesn't capture wifi to wifi, but definitely all outgoing traffic, and also gives you more information (monitoring only sees unidentifiable packets, while capturing the wired port will provide you FULL tcp/udp traffic and whole conversations, as I don't suspect promiscuous mode is available on the current wifi client he's using).
With monitoring you can see packets flying around, and maybe you can calculate some bandwidth, but with real packet capturing, you could see if there's portscanning going on, outgoing SMTP traffic, or strange DNS behaviour.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39974861
With respect, Kimputer, the OP says this...
I'll be using Wireshark 1.10 on OS X to troubleshoot what I think is an infected wireless host generating enough traffic to choke a wireless access point.
You can't do that by capturing traffic on the wired port, as you can't guarantee that the suspect traffic will be passed to the wire.

As an example, malformed management frames won't be seen on the wire, yet this could have a catastrophic effect on client connectivity over the air.  This could be seen as choking the AP.
0
 
LVL 36

Expert Comment

by:Kimputer
ID: 39974908
I have yet to see any self respecting malware who DOESN'T want to get on the internet. To get to the internet, you usually have to pass through the wired port of an access point.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39975014
You are correct, but you misunderstand the requirement.  The OP has clearly detailed the desire to sniff wireless packets, while your suggestion is monitoring wired traffic on the assumption that the issue IS malware.

Put simply, you're talking about mirroring traffic on the switch, and that's not what the OP details.  You don't put a WLAN NIC in monitor mode on a wired LAN - that's a physical impossibility.

What I'm suggesting is exactly what the OP asked, and my suggestion that management frames could be malformed as an example is exactly within the requirement based on the OP.  Certain types of wireless (not IP) frames remain within the RF/AP boundary and never exist on the wired network, therefore the only option to determine if there's a WIRELESS problem which is causing the 'choke' is to sniff the wireless packets.
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39975114
@Craigbeck is right. You need to sniff packages wireless to be able to troubleshoot poor wireless performance, overloaded APs ---
there might be a DoS attack sending deauth frames disconnecting clients, or all other rf frames (associate/authenticate/reauth ++)
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question