Ok. I installed wireshark on my desktop unit. All good. I enter the WEP key into wireshark for decryption. I click on start. It shows packets - cool. Using internet explorer, I go to yahoo.com. Wireshark shows I went to yahoo.com. Pretty neat. Ok, I get on my laptop which connects to the wireless router (which, of course, is connected to the desktop). I go to yahoo.com. It doesn't show up in wireshark. I search for "yahoo" in the packets but nothing there. Shows up easily when I do the same thing on the desktop. So what gives? It is "wire" shark - shouldn't it show all the packets going through the wireless router? Sepcs: desktop is windows xp sp3. Wireless router is Verizon FIOS Actiontec modem/router. Laptop is windows 7 32 bit. Internet explorer is browser for both. Thanks. Larry
asked 12 Aug '12, 22:44
("Wire" in Wireshark is somewhat historical, given that it handles various wireless protocols and given that the capture mechanisms used by libpcap support Wi-Fi - WinPcap, not so much, as it doesn't support NDIS 6 and thus doesn't support Native Wi-Fi monitor mode.)
The data sheets I could find on Actiontec's Web site for fiber modems whose descriptions include FIOS are:
They appear to support two types of WAN connection - Ethernet and MoCA. If you connect to FIOS via MoCA (the coax port), there might not be a way to plug Wireshark into the wireless router to see all traffic going to or from the Internet through the router; if you connect to FIOS via the Ethernet port, you might be able to interpose a hub (not a switch that's called a hub, but a real hub) or a network tap to capture traffic going over that Ethernet link. I didn't find anything in the documentation on the Actiontec site to indicate that they support "port mirroring" (under whatever name), so that doesn't appear to be an option.
If you want to capture all the traffic on your wireless network, rather than on the wired connection from the wireless router to the Ethernet, you will need to capture on a wireless interface in monitor mode or perhaps promiscuous mode. Unfortunately, WinPcap, as indicated in the parenthetical note at the beginning of my answer, does not support monitor mode, and Wi-Fi drivers on Windows rarely, if ever, support promiscuous mode (in fact, NDIS 6 Native Wi-Fi drivers aren't supposed to support promiscuous mode except in monitor or access point mode!), so, on Windows, you won't be able to do that with applications such as Wireshark that use WinPcap. (You could do it on Linux or *BSD or OS X.)
It works when you're running Wireshark on the machine whose traffic you're trying to capture; it doesn't work if you're running Wireshark on another machine. That's why it captures traffic going to and from your desktop (as that's where you're running Wireshark), but doesn't capture traffic going to and from your laptop if you're running it on your desktop. You'd have to run Wireshark on your laptop in order to capture traffic going to or from your laptop. (NDIS 6, and thus Native Wi-Fi monitor mode, isn't supported on Windows XP, so even if WinPcap did support that, it wouldn't help on your desktop. It also wouldn't, of course, work if your desktop doesn't support Wi-Fi and is connected to your router via Ethernet.)
If both PC and laptop are connecting to the router over WLAN and you have a capture device that can capture all Wireless frames you should see all the traffic.
I guess in your case either one system is connected to the router via cable, which would lead to only the router getting the packets (and not forwarding it to any other client), and so you can't capture what others do. Or you DO have both systems using WLAN but you don't have a Airpcap capture card that would allow you to see all frames when running Wireshark on Windows. Without an Airpcap adapter you're pretty limited in what you can capture on Windows, which means mostly your own packets. Even the 802.11 radio layer will be missing.
You can either buy an Airpcap adapter, or try using Linux, which would allow you to run the adapter in monitor mode (which isn't possible on Windows, except with Airpcap adapters).
answered 13 Aug '12, 01:35