Problems while attempting to capture wireless packets
Hello, there! I'm relatively new to these forums, so please give feedback in a positive manner! Recently I've been trying to capture internet traffic between hosts other than my own in my network.
Context Rich Background
(Skip down to TL;DR for a quick explanation)
I've initially attempted to capture packets through ethernet. However, I believe the reason I'm not capturing any packets on that interface is that my router has a switch topology meaning it won't send any packets to the port my ethernet cable is connected to unless it's designated for my computer or it's a broadcast message. And turning on promiscuous mode doesn't change the result here.
And unfortunately, there is not a port on the switch which is specific for network analysis. It's a pretty old one.
I've since changed my focus to capturing wireless packets because it appears a wireless access point doesn't have the same restrictive filtering as my switch. What I mean is that wifi sends out the packets in a wide range. I believe it shouldn't be that hard to have my wireless adapter simply capture the traffic even if it doesn't have its IP address.
This has led me to many forums telling me to enable monitor mode on my adapter. I've watched from TheNewBoston's Wireshark tutorial that told me some adapters just don't have an option to turn on promiscuous mode (or in this case, I think he means monitor mode). Up until 4:30, he's explaining one that he uses that has worked for him in the past. So I went ahead and ordered the same one to make sure it can enable monitor mode. Now the trouble I'm running into is not entirely knowing if I've enabled it or not on the adapter. I have Npcap installed rather than WinpCap. Is having Npcap working with Wireshark enough? Do I have to do some manual procedure? And yes I've read the Wireshark wiki. On this subject, they say it's very operating system and adapter specific. Any help or easy setup's to get me capturing traffic is appreciated as well.
I've read this forum post hoping to find answers. However, it doesn't seem to have a solution to my specific problem.
I apologize if this post has too much context. I just want to get any questions about my previous steps out of the way so we can get to the answer faster.
TL;DR
I've been attempting to enable promiscuous mode on an adapter TheNewBoston recommended and stated has the ability to do so. So now I'm curious what the procedure is to enable it for this adapater? Is having NPcap and Wireshark good enough? Any help is appreciated.
Edit
I've attempted to follow @darius's advice to use WlanHepler.exe to enable monitor mode because I do not know of a ...
Hi @Sharknado,
from wiki https://wiki.wireshark.org/CaptureSet...
"AirPcap The AirPcap adapters from Riverbed Technology allow full raw 802.11 captures under Windows, including radiotap information. Note that the AirPcap adaptors are no longer being sold by Riverbed, as announced in their End-of-Availability (EOA) Notice on October 2, 2017.
"Windows
Starting from Windows Vista: Npcap
You can enter "monitor mode" via Wireshark or WlanHelper.exe tool shipped with Npcap.
"WinPcap doesn't support monitor mode
"If anybody finds an adapter and driver that do support promiscuous mode, they should mention it at the bottom of this page, for the benefit of other users.
none mentioned ....
@darius thanks for commenting! I'm unsure of how to enable monitor mode through Wireshark. Please look above at my edit for my attempts to enable it through WlanHelper.exe.
Hi,
read web links https://www.bing.com/search?q=AirPcap...
https://www.acrylicwifi.com/en/blog/w...
"NDIS driver as an alternative to airpcap adapter *
With Acrylic WiFi we have developed an NDIS driver that allows capturing WiFi traffic on Windows natively with most WiFi cards of the market and we have developed on it a new library that replaces the original Airpcap.dll library. This new library keeps the compatibility with Airpcap cards and gives a list of additional network interfaces with the alternative USB WiFi cards.
This allows you to use any USB WiFi card and to use WiFi cards as an alternative to Airpcap and capture WiFi packets on Windows and to exploit the use of 802.11ac cards to capture traffic on tools like Wireshark under Windows.
There are still some limitations to achieve a fully working Airpcap adapter alternative, as some wlan drivers are ...(more)
follow-up
https://support.riverbed.com/content/...
"Riverbed AirPcap
Riverbed® AirPcap was formerly referred to as AirPcap. Visit Riverbed AirPcap overview page to learn more. Riverbed AirPcap USB-based adapters capture 802.11 wireless traffic for analysis by SteelCentral Packet Analyzer (Cascade Pilot) or Wireshark.