Ask Your Question
0

Can I Capture Mesh Network Traffic?

asked 2020-05-10 20:19:14 +0000

Jrjsmith gravatar image

I am using BT Whole Home Wi-Fi discs to overcome 'not-spots' around the house.

I would like to capture the traffic between my mobile telephone Security Camera app and my generic IP Security Camera, which are both connected to this BT Whole Home Wi-Fi mesh network.

Can anyone tell me how I can configure Wireshark to capture this traffic, please?

If Wireshark cannot be used for this activity, can you recommend a way to capture this traffic, please?

Many thanks

Joe.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-05-15 14:59:14 +0000

Jrjsmith gravatar image

Here is how I achieved the Capture that I wanted on the mesh network that is delivered through the BT Whole Home Wi-Fi.

The following description assumes that you have already installed a driver, which permits you to select Monitor Mode for your Wi-Fi adapter and that you have already prepared Wireshark with the proper Passphrase or Key for your BT Whole Home Wi-Fi mesh network.

  1. Log in to the BT Whole Home Wi-Fi main device and go to Setup > Wi-Fi Settings and make a note of the channel(s) used. Also, go to Systen > Information and make a note of the MAC Addresses for the Disc(s). Each disc has three Mac Addresses: Ethernet, 2.4GHz Wi-Fi and 5GHz Wi-Fi. Logout when finished.
  2. Get as close to the target (IP Camera) as possible with the laptop and mobile telephone.
  3. Put the Wi-Fi adapter of the laptop into Monitor Mode with the Channel recorded above e.g. sudo airmon-ng start wlan1 11, where wlan1 is the ID of the Wi-Fi adapter and 11 is the channel to be operated on. Note: most IP Cameras use the 2.4GHz channels.
  4. Start Wireshark and select the Wi-Fi adapter that is running in Monitor Mode. Start a Capture.
  5. Run aireplay-ng -deauth using the 2.4GHz MAC Address for the BT Whole Home Wi-Fi disc that is anticipated to service the IP Camera e.g. aireplay-deauth 6 -a [ROUTER MAC] wlan1mon, where 6 is the number of death attacks required, [ROUTER MAC] is theBT Whole Home disc 2.4GHz MAC Address (colon-separated) and wlan1mon is the Wi-Fi adapter in Monitor Mode. Note: a specific target can be addressed for deauth by adding -c [DEVICE MAC] after the number for the deauth attacks quantity and before the -a [ROUTER MAC].
  6. Wait a short while and then use the mobile telephone app to contact the IP Camera - watch a few frames from the camera and then close the app.
  7. Stop Wireshark and use the Display Filter eapol to check that you've captured the four-way key handshake - there should be at least two sets: one for the IP Camera and one for the Mobile Telephone but there are likely to be several more if you did not specify a specific target using -c [DEVICE MAC] in the aireplay-ng command.

I hope this helps anyone trying to use Wireshark on Mesh Networks.

edit flag offensive delete link more
0

answered 2020-05-10 20:35:15 +0000

grahamb gravatar image

See the Wiki page on WLAN capture for more information on capturing WiFi traffic.

edit flag offensive delete link more

Comments

Hi Graham,

Thanks for your response.

I had already read (and re-read several times) the Wiki page that you linked. I have also searched for answers via browser searches and YouTube videos. Regrettably, I have been unable to capture the traffic between my mobile telephone and the generic IP camera. I have added the key so that Wireshark can decrypt the Wi-Fi traffic. I can see the EAPOL four-way handshake when I connect the Mobile telephone to the SSID. I can see traffic between the mobile and the AP and between the mobile and the router but I have been unable to see the traffic to the IP camera.

As I am using Wireshark running under Kali Linux installed as the base operating system on a laptop, together with an ALFA Networks AWUS036AC USB wireless network adapter, I know that the adapter is in Monitor mode.

The only reason for ...(more)

Jrjsmith gravatar imageJrjsmith ( 2020-05-12 08:45:50 +0000 )edit

What traffic you see will depend on whether the mobile app connects directly to the camera or if an external "central server" is involved, the use of a mesh network doesn't really affect things.

If the mobile app connects directly to the camera then you should see traffic with the camera's IP to and from the phone. If the camera and app communicate via an external server then you'll only see traffic from each device to and from the central server.

If you can't see any traffic at all to the IP camera, are you sure your capture device is in range of the camera and the mesh node it's using and on the channel and modulation scheme that's being used?

grahamb gravatar imagegrahamb ( 2020-05-12 09:21:54 +0000 )edit

Hi Graham,

Thanks once again for your response.

The mobile app is meant to connect directly to the camera not through a central server.

Unfortunately, I know neither the IP address of the camera (DHCP) nor its MAC address (to use to determine the IP address from the DHCP server (Cisco ASA5505).

As I had neither IP nor MAC, I spent today getting it down to check for its MAC Address - a waste of time as the only distinguishing item on it is its UID (alphanumeric with plenty above F with no pattern that may include its MAC Address).

I've decided to get as close as I can to the target (the camera), start Wireshark, and use aircrack-ng to deauth everything and capture all EAPOL handshakes. These will contain the MAC Addresses for everything that connects and I can check these against the DHCP records in an attempt to ...(more)

Jrjsmith gravatar imageJrjsmith ( 2020-05-13 18:40:54 +0000 )edit

Hi Graham,

In general, you are correct to say that the use of a mesh network doesn't really affect things.

However, when attempting to perform the Capture that I wanted, it does - see the steps that I needed to follow in the Answer that I've entered, which I hope will assist others.

Thanks again for your interest and assistance.

Joe.

Jrjsmith gravatar imageJrjsmith ( 2020-05-15 14:55:42 +0000 )edit

Looks to me to be the general steps to make a WLAN capture, ascertain channel, restart the client connection either by disconnecting or as in your case spoofing deauth packets while capturing and apply the appropriate PSK to decrypt. You have laid out a suitable set of steps that works for you so that's a win.

grahamb gravatar imagegrahamb ( 2020-05-15 15:26:35 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-05-10 20:19:14 +0000

Seen: 2,947 times

Last updated: May 15 '20