Ask Your Question
0

Wireshark can't sniff smartphones traffic even if it correctly sniffs laptop traffic

asked 2020-04-09 09:35:09 +0000

manumsn gravatar image

updated 2020-04-09 10:21:58 +0000

grahamb gravatar image

Hi all,

I'm using Wireshark to sniff traffic of my home wi-fi network, where different smartphones and 1 laptop (name it: PC_target) are connected via Wi-Fi (no cable connection at all, just wifi). Wireshark is running on a second laptop (name it: PC_wireshark), and it has been properly configured so that I'm perfectly able to sniff AND DECRYPT all traffic generated from PC_target (EAPOL, HTTP, DNS, TCP, ICMP and so on). I see every packet, even if those packets are not directed to PC_Wireshark. This is possible because I properly set network interface to Monitor Mode, set proper channel, set IEEE 802.11 decription, properly set WPA password:SSID, waited for laptop to disconnect and reconnect to the network, got EAPOL packets, and so on. So in the end, I can 100% sniff laptop traffic.

Problem is that, when I perform same exact steps in order to sniff traffic from one of the available smartphones, I don't get any EAPOL packet and so can't sniff anything that is encrypted. I'm really stuck since I can't understand why same configuration allows me to sniff PC_target, but doesn't allow me to sniff smartphones.

Can someone help?

edit retag flag offensive close merge delete

Comments

So what you're saying is that you can't get the smartphone to send EAPOL packets, while you can get the PC_target to do that? That's not what the title suggests. Or do you see no traffic at all from the smartphone. You elaborated on the PC_target capturing, which is a cool achievement, but say little about the troubled smartphone platform and its interactions. Please do so.

Jaap gravatar imageJaap ( 2020-04-09 10:17:27 +0000 )edit

Are the smartphones connecting to your WiFi or the Mobile network?

Anders gravatar imageAnders ( 2020-04-09 11:41:55 +0000 )edit

If the smartphones are connected to the WiFi are they using the same channel as PC_target? APs often support a channel in both 2.4Ghz and the 5Ghz bands concurrently. Could the PC_target have connected on a 5GHz channel while the smartphones have connected on a 2.4GHz channel or visa-versa?

Jim Young gravatar imageJim Young ( 2020-04-09 12:24:23 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-04-09 14:25:42 +0000

manumsn gravatar image

Solution has been found, see below. Find also in the end another question on this topic.

@Jim Joung: thanks a lot. Problem is that router is using both 2.4GHz and 5GHz bands at the same time. According to "$ Airodump-ng mon0" command, router is using channel 6, so I used to set Wireshark to use same channel by selecting "Channel 6 - 2.437" on top panel, and this worked fine to sniff PC_Target, which I verified was connecting on that 2.4 band. However, checking into router logs, I found out that all the available smartphones were connecting on 5GHz band. After some checks I found that proper channel for them was "Channel 48 - 5.240". After setting this channel on Wireshark I can now sniff EAPOL of smartphones too.

@Jaap: you are right, but I decided to write a title somehow generic in order to reach as many different people as possible who might have same issue.

@Anders: thank for support, devices were of course connected to Wi-Fi and not to Mobile Network.

Question for all: even if airodump-ng was stating router was on Channel 6, in the end I had to manually switch Wireshark on a different channel in order to sniff smartphones traffic. However, there are something around 20 different channels on 5GHz band, and only one of them was the correct one. I had to test them one by one, and it's been very slow. Is there a way to immediately find which channel must be selected for a specific device, when router is behaving like this?

edit flag offensive delete link more

Comments

You want channel hopping for Windows?
https://wiki.wireshark.org/CaptureSet...

Chuckc gravatar imageChuckc ( 2020-04-09 14:35:27 +0000 )edit

Not at all, I'm not using windows but Kali Linux. Anyway I gave a look at the link, and channel hopping could be a solution. With Channel Hopping one could hop between different channels and collect some traffic related to different devices, then inspect the "802.11 radio information" header and find channel and frequency for that specific device. Then knowing that, stop Channel Hopping and tune Wireshark on that specific channel, in order to get complete EAPOL. Thanks for suggestion.

manumsn gravatar imagemanumsn ( 2020-04-09 14:56:04 +0000 )edit

Per the man page,

By default, airodump-ng hop on 2.4GHz channels.

I suspect this is why you only observed your 2.4 devices. There are options to enable scanning 5GHz or your own preset channel list with airodump-ng. Horst is another tool that scans for wireless networks in Linux, as do kismet and bettercap:

Bob Jones gravatar imageBob Jones ( 2020-04-10 10:28:43 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2020-04-09 09:35:09 +0000

Seen: 1,840 times

Last updated: Apr 09 '20

Related questions

playback video sniif ( not live ) HELP!!

Unknown RTP version 3 in skype data streams

Libpcap behavior on virtual NIC

Confused about wifi sniffing

HTTP sniff on wireless doesn't work (with EAPOL)

How to capture traffic of my smartphones?

Malformed EAPOL packets

Sniffing stealmylogin.com

unable to capture packets on Wireshark

Why I can not find my clear text login credentials in Wireshark traffic