Ask Your Question
0

Wireshark not capturing any web traffic

asked 2020-03-21 22:33:54 +0000

gangelo gravatar image

Hello,

I'm on my home network which includes my wife and kids. My wife has a MacBook Pro I. My youngest (7) has Kali Linux machine, and I have a MacBook also, running Kali via VirtualBox. My youngest son and I want to play some hacking tricks on my wife, the first of which will be to capture her outbound HTTP traffic by creating a script; at the end of the month, my young son and I are going to show my wife where she's been - a lot of fun. Anyways, the first step was to see if we could capture her outbound HTTP traffic via WireShark, and so far, we've been unsuccessful. I've tried on my son's Kali machine and we've tried Kali on my machine via VM, and nothing. All the machines can see each other, the Kali machine running on my VM is running on VirtualBox and has the Network attached via Bridged Adapter, and everyone else is connected via wireless to our Apple Airport. I am picking up some traffic from my wife, but nothing by way of HTTP.

Any ideas as to what could be the case?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-03-22 03:54:43 +0000

Guy Harris gravatar image

I will let an advice columnist advise you on the wisdom of this plan. I take no responsibility for any consequences of this prank. :-)

On the technical level:

First of all, if you want to capture other machines' traffic on a Wi-Fi network, you would need to capture in monitor mode.

Your youngest son's machine should be able to do that. See the section of the Wireshark Wiki that discusses capturing in monitor mode on Linux. I'm guessing that Kali Linux includes airmon-ng, so look at the part of the instructions that mention airmon-ng.

Your machine may be able to do it - but only if you're capturing on the Mac itself. The virtual machine's network interface is a pretend Ethernet interface, which could run in promiscuous mode, but 1) not monitor mode, as it's not a pretend Wi-Fi network adapter and 2) promiscuous mode will capture only on the "network" it's on, which is a virtual network passing traffic between the host and the guest, so, at most, it might be able to capture traffic between virtual machines running at the same time or between other virtual machines and the host.

With older Macs, the monitor mode checkbox should Just Work. With newer Macs, Apple decided to make life difficult, for some unknown reason, so, currently, the only way to capture in monitor mode is to:

  1. Open Wireless Diagnostics by Option+click on the Wi-Fi element in the menu bar and selecting "Open Wireless Diagnostics...".
  2. Select "Sniffer" from the "Window" menu (don't bother with the "Introduction" dialog that Wireless Diagnostics pops up).

NOTE: the adapter on machines that require the use of Wireless Diagnostics may disassociate from your network while in monitor mode, in which case your machine will no longer have Internet access. This may persist after the capture stops; closing your machine and opening it up again might fix this.

Second of all, your network is probably a "protected" network, using WEP or some version of WPA, meaning all the packets are encrypted. This means that you will need to 1) enter the password for the network into Wireshark and, if it's some version of WPA (which it probably is), in order to decrypt traffic from and to a given machine, you will need to capture the initial authentication handshake that machine makes with the network.

See the "How to decrypt 802.11" page of the Wireshark Wiki for more details. In particular, note that this may require you to get your wife's laptop to disconnect from the network and reconnect while you're sniffing, which means it may require you to get your wife to close her laptop and open it up again while you're sniffing.

Remember, "WEP" stands for "Wired Equivalent Privacy", meaning that the intent was to make it as hard to sniff wireless traffic as it is to sniff wired traffic. They failed (the encryption was too easy to crack), which is why they ... (more)

edit flag offensive delete link more

Comments

Thank you. Yes, she will be amused :). I'll let you know how it goes!

gangelo gravatar imagegangelo ( 2020-03-22 09:11:42 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-03-21 22:33:54 +0000

Seen: 7,629 times

Last updated: Mar 22 '20

Related questions

Can I create a capture filter on a pcap file

Wireshark capture with ET2000

wireshark does not capture packets from wifi nic - windows 8

why wireshark is not showing http or https packets in the view?

What kind of HW timestamp is now supported with Wireshark 2.6.0?

How to capture clear text traffic from devices that arent my computer

Capture from only one Port in wireshark and tshark

Wireshark 2.4.1 GTK Crash on long run

Why redirection of VoIP calls to voicemail fails?

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2