This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing packets on wifi devices

0

I have a cisco router with a port mirroring function. I set it up so my wifi traffic is being mirrored to a port in which my computer is connected to with wireshark running. This used to work for me back in the day, but I dont know why its not working anymore. Are their some sort of IP Address conflict that I may be running in to? Or some sort of setting that I am not aware of? I'm trying to get traces off of an Ipad connected to wifi, however im getting 0 packets even thought I am 100% sure its set up correctly.

asked 20 Sep '12, 14:42

jake11241's gravatar image

jake11241
1111
accept rate: 0%


3 Answers:

0

First, welcome to Wireshark.

Wireshark places the interface in promiscous mode to sniff, which means it will receive every frame on the channel, if you're seeing nothing then it hasn't even come close to IP yet and there are more fundemental issuses to resolve.

Check your hardware isn't broken (check the cables and switch), recheck your set up of the mirror. If these two check out OK then you'll need to give us a lot more detail.

If you're using Windows for this then I'd suggest trying linux or unix as their network stacks are very well understood and highly documented, this would also rule out OS interaction.

It may be all round easier for you to just sniff the airwaves.

Passive WiFi sniffing is a bit of a dead donkey when it comes to debugging network issues as there's no way to account for the specific environment at the receiving antenna of interest, but is none the less very educational.

This would be the same for using a "mirrored" port, you would of couse know if the iPad was responding correctly, but not if it was receiving correctly.

So I guess it all depends on what you want to do with wireshark, just poke around to see what's happening, check out an unreliable communication channel or look at the specifics of a protocol implementation?

So long as it's not checking out an unreliable connection then you can get a laptop, connect to the WiFi and inhale every packet in the room.

Cheers, Craig.

answered 20 Sep '12, 16:03

CTNOBLE's gravatar image

CTNOBLE
11236
accept rate: 0%

CTNOBLE, can I contact you through email and possibly further investigate this possibly remotely?

(20 Sep '12, 17:53) jake11241
1

Sure, ipsen200<at>hotmail<dot>com It is likely I won't be able to respond to your e-mail immediately though.

I understand the need for secrecy when it comes to network security, but I would like to encourage you to share as much as possible on the forum so that any other users who encounter a similar problem to your own can benefit.

(20 Sep '12, 18:55) CTNOBLE

@jake11241, I converted your answer to a comment, that's the way this site works best, please review the FAQ.

And I agree with @CTNOBLE, please keep the conversation on ask.wireshark.org as much as possible for others to learn as you might learn from other question AND answers :-)

(20 Sep '12, 23:24) SYN-bit ♦♦

Quite new to the site, thank you. I'm running Windows 7, Wireshark version 1.6.10. Im using a Cisco router RV110W with port mirroring function. This used to work flawlessly a couple months ago, and all of a sudden its not working. Originally I thought it was a problem with the router itself because Ports 1 and 2 were not working. I talked to Cisco and got it replaced, but the same problem persists :/

(21 Sep '12, 07:34) jake11241

0

I'm going to refer you to the cisco Admin manual: http://www.cisco.com/en/US/docs/routers/csbr/rv110w/administration/guide/rv110w_admin.pdf

page 124.

"The LAN host (PC) should use a static IP address to avoid any issues with port mirroring"

Are you using a static IP on your PC?

answered 21 Sep '12, 16:39

CTNOBLE's gravatar image

CTNOBLE
11236
accept rate: 0%

Yes I'm using a Static IP for both the wifi device and my PC.

Heres a picture of what Im seeing when trying to gether captures off my wifi device.

alt text

(24 Sep '12, 15:46) jake11241

I was not allowed to post a picture on a comment, so please refer to my answer below for a response to this comment :)

(24 Sep '12, 15:47) jake11241

Well, The host is sending out MDNS packets, looking for sv-ipad-2, so, can I assume that these packets are coming from your PC?

Are there other devices on your wireless network? If so then can you try to get a capture from them?

(25 Sep '12, 02:15) CTNOBLE

0

I'm trying to get traces off of an Ipad connected to wifi, however im getting 0 packets even thought I am 100% sure its set up correctly.

Are you really sure? I don't see an option to mirror the Wifi traffic.

https://www.cisco.com/web/sbtg/gui_mockups/RV110W/default.asp.htm
Administration -> Diagnostics -> Port Mirroring

Regards
Kurt

answered 24 Sep '12, 15:58

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Yes, because this worked flawlessly a couple months ago. So I know it does work

alt text

(24 Sep '12, 16:03) jake11241