Ask Your Question
0

Why can't I capture other device's packets on the network?

asked 2019-07-05 21:48:38 +0000

Ben321 gravatar image

At the ethernet packet level, I can only see packets between my router and my computer. At the IP address level, I can only see packets with my computer's IP address as either the destination or source address. I can't see any communications between the router and another computer (at the ethernet packet level) or between any 2 other computers on my network (at the IP address level). And this is despite the fact that I put a tick in the check box for promiscuous mode, for my wi-fi adapter in the Wireshark adapters settings, and made sure to select that adapter as my capture adapter. An yes, I'm using the latest NPCap driver installed by the Wireshark installer.

I'm not sure what's wrong. I'm guessing it may have something to do with the fact that my router is using WPA2 encryption, instead of being unencrypted (like an "open" wireless network). Or maybe I need to use a wired connection (rather than wireless connection) when connecting my packet inspection computer to the router. Can anybody here tell me what's wrong? And how do I fix it?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-07-05 22:40:25 +0000

grahamb gravatar image

To see packets between other devices and the Acess Point you'll need to enable "Monitor Mode". See the Wiki page on WLAN capturing for more info, noting the fact that it might not work on Windows.

edit flag offensive delete link more

Comments

Then what's the difference between Promiscuous Mode and Monitor Mode?

I had assumed that Monitor Mode was not needed to capture packets on the same router as the packet sniffing computer, and that only Promiscuous Mode was needed for that.

Furthermore, I had assumed that Monitor Mode was only needed to capture packets to networks you were not connected to, that is not connecting to any network at all and simply "sniffing" wifi packets out of the air and capturing them as raw wifi packets (and then from there capturing the ethernet packets within, and deeper layers if available, assuming that the wifi packet itself was not encrypted which would otherwise prevent deeper capture).

Ben321 gravatar imageBen321 ( 2019-07-05 22:47:33 +0000 )edit

That behaviour is a "feature" of Wireless adaptors. Please read the linked wiki page for more info.

grahamb gravatar imagegrahamb ( 2019-07-06 13:44:41 +0000 )edit

Very interesting. Are there any adapters that DO allow promiscuous mode, without monitor mode, in Windows? I don't (right now) have any particular need to sniff packets from networks I'm not connected to, but I would like to be able to monitor all packets on my current network (which theoretically only requires promiscuous mode, and not monitor mode). And yes my network is open (not encrypted), but it still seems that promiscuous mode is crippled and behaves just as if it were in normal mode (WireShark only shows packets who's source or destination is the computer performing the packet sniffing).

Based on that wiki article, it sounds like this problem is a Windows thing, and that my idea would work fine in Linux, but it also sounds like it has something to do with which wi-fi adapter I'm using. Maybe you could point me to a ...(more)

Ben321 gravatar imageBen321 ( 2019-07-10 02:14:24 +0000 )edit

There's a list of adapters for npcap here.

The issue is with the adapter driver\firmware not Wireshark or npcap. npcap asks the driver if it supports monitor mode, and if so enables the checkbox in the Wireshark UI. Even then, the driver\firmware might be defective so that it doesn't actually work.

Generally folks seem to have more success in this area with Linux.

grahamb gravatar imagegrahamb ( 2019-07-10 07:47:34 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-07-05 21:48:38 +0000

Seen: 40,436 times

Last updated: Jul 05 '19

Related questions

How Can I change my wireless interface to monitor mode in version 2.6.0

"Easy" question, Promiscuous or Monitor mode ?

Data packets not captured

Computer compromised through Steam personal/financial information stolen HELP [closed]

cannot find "Compare two capture files"

Is it possible to test a capture filter with already captured traffic?

promiscuous mode windows 10 not working

aix iptrace capture filters

Wireless controls are not supported in this version of wireshark

How would I map this display filter to a capture filter?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2