Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Wireshark and Capturing WiFi traffic

Posted on 2014-04-02
9
Medium Priority
?
1,534 Views
Last Modified: 2014-05-10
Hello,

I'll be using Wireshark 1.10 on OS X to troubleshoot what I think is an infected wireless host generating enough traffic to choke a wireless access point. I've put the wireless adapter into "monitor mode" per the Wireshark wiki, but my tests on my home network still don't show activity from other hosts on the same wireless network. I know wireless access points work as a switch to isolate traffic, but I thought there was a way to capture all traffic from all hosts. Is this not possible?

Thanks!
0
Comment
Question by:Mandr1ch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
9 Comments
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39973554
This is a limitation of the wireless driver for your network card. You can bypass this by buying some sort of Sniffer program, like Air Pcap 8http://www.riverbed.com/products-solutions/products/network-performance-management/wireshark-enhancement-products/Wireless-Traffic-Packet-Capture.html) - or if possible, you can check if your AP have som possibility to capture traffic for you --- some high-end APs can.

or - if you suspect a bad station: do you have control over all devices? if so - change password or SSID of wireless network. So all devices are disconnected. Reconnect devices one by one, also giving them some time to settle in, and see when AP goes down.

or - it might also be neighbouring APs - download inSSIDer, www.metageek.net and see if any other APs are interfering with you AP (802.11g/n have only 3 non-overlapping channels)
0
 
LVL 36

Accepted Solution

by:
Kimputer earned 2000 total points
ID: 39973582
To capture all Wi-Fi traffic, you actually need either, an old hub, or a managed switch with port mirroring capabilities, and place that just after the access point (access point - hub or switch - resume old network topology). Then use a laptop with network cable on that hub or switch to capture the traffic.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39974515
Capturing Wifi traffic isn't the same as capturing what comes out of the Access Point's wired port.  We want to sniff wireless packets here which are seen by clients over-the-air.

@Mandr1ch - have a look here...

http://superuser.com/questions/150250/capturing-wireless-traffic-using-wireshark

Make sure you're next to (or close to) the AP you're trying to troubleshoot, or the client you're suspecting.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 36

Expert Comment

by:Kimputer
ID: 39974766
While capturing  the wired port of the access point technically isn't the same as what the original poster wanted, it serves as a backup solution if monitoring isn't sufficient (and sometimes can't even get it to work). Capturing the wired port doesn't capture wifi to wifi, but definitely all outgoing traffic, and also gives you more information (monitoring only sees unidentifiable packets, while capturing the wired port will provide you FULL tcp/udp traffic and whole conversations, as I don't suspect promiscuous mode is available on the current wifi client he's using).
With monitoring you can see packets flying around, and maybe you can calculate some bandwidth, but with real packet capturing, you could see if there's portscanning going on, outgoing SMTP traffic, or strange DNS behaviour.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39974861
With respect, Kimputer, the OP says this...
I'll be using Wireshark 1.10 on OS X to troubleshoot what I think is an infected wireless host generating enough traffic to choke a wireless access point.
You can't do that by capturing traffic on the wired port, as you can't guarantee that the suspect traffic will be passed to the wire.

As an example, malformed management frames won't be seen on the wire, yet this could have a catastrophic effect on client connectivity over the air.  This could be seen as choking the AP.
0
 
LVL 36

Expert Comment

by:Kimputer
ID: 39974908
I have yet to see any self respecting malware who DOESN'T want to get on the internet. To get to the internet, you usually have to pass through the wired port of an access point.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39975014
You are correct, but you misunderstand the requirement.  The OP has clearly detailed the desire to sniff wireless packets, while your suggestion is monitoring wired traffic on the assumption that the issue IS malware.

Put simply, you're talking about mirroring traffic on the switch, and that's not what the OP details.  You don't put a WLAN NIC in monitor mode on a wired LAN - that's a physical impossibility.

What I'm suggesting is exactly what the OP asked, and my suggestion that management frames could be malformed as an example is exactly within the requirement based on the OP.  Certain types of wireless (not IP) frames remain within the RF/AP boundary and never exist on the wired network, therefore the only option to determine if there's a WIRELESS problem which is causing the 'choke' is to sniff the wireless packets.
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39975114
@Craigbeck is right. You need to sniff packages wireless to be able to troubleshoot poor wireless performance, overloaded APs ---
there might be a DoS attack sending deauth frames disconnecting clients, or all other rf frames (associate/authenticate/reauth ++)
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Summer 2017 Scholarship Winners have been announced!
How does someone stay on the right and legal side of the hacking world?
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question