Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

I will let an advice columnist advise you on the wisdom of this plan. I take no responsibility for any consequences of this prank. :-)

On the technical level:

First of all, if you want to capture other machines' traffic on a Wi-Fi network, you would need to capture in monitor mode.

Your youngest son's machine should be able to do that. See the section of the Wireshark Wiki that discusses capturing in monitor mode on Linux. I'm guessing that Kali Linux includes airmon-ng, so look at the part of the instructions that mention airmon-ng.

Your machine may be able to do it - but only if you're capturing on the Mac itself. The virtual machine's network interface is a pretend Ethernet interface, which could run in promiscuous mode, but 1) not monitor mode, as it's not a pretend Wi-Fi network adapter and 2) promiscuous mode will capture only on the "network" it's on, which is a virtual network passing traffic between the host and the guest, so, at most, it might be able to capture traffic between virtual machines running at the same time or between other virtual machines and the host.

With older Macs, the monitor mode checkbox should Just Work. With newer Macs, Apple decided to make life difficult, for some unknown reason, so, currently, the only way to capture in monitor mode is to:

  1. Open Wireless Diagnostics by Option+click on the Wi-Fi element in the menu bar and selecting "Open Wireless Diagnostics...".
  2. Select "Sniffer" from the "Window" menu (don't bother with the "Introduction" dialog that Wireless Diagnostics pops up).

NOTE: the adapter on machines that require the use of Wireless Diagnostics may disassociate from your network while in monitor mode, in which case your machine will no longer have Internet access. This may persist after the capture stops; closing your machine and opening it up again might fix this.

Second of all, your network is probably a "protected" network, using WEP or some version of WPA, meaning all the packets are encrypted. This means that you will need to 1) enter the password for the network into Wireshark and, if it's some version of WPA (which it probably is), in order to decrypt traffic from and to a given machine, you will need to capture the initial authentication handshake that machine makes with the network.

See the "How to decrypt 802.11" page of the Wireshark Wiki for more details. In particular, note that this may require you to get your wife's laptop to disconnect from the network and reconnect while you're sniffing, which means it may require you to get your wife to close her laptop and open it up again while you're sniffing.

Remember, "WEP" stands for "Wired Equivalent Privacy", meaning that the intent was to make it as hard to sniff wireless traffic as it is to sniff wired traffic. They failed (the encryption was too easy to crack), which is why they went with WPA (Wi-Fi Protected Access). I.e., if you find that the WEP/WPA stuff makes it hard to sniff traffic, that's not a bug, that's a feature - that's why they did it in the first place, to make it hard to sniff traffic!

(And, again, consider whether your wife will be amused or annoyed when you and your son show her the results of this exercise.)