My network topology is the following. I have a cable modem and a router in a single device provided by my ISP. Wireshark captures the traffic from/to my PC, but for it does not capture the Wi-Fi traffic from my phone, logged in to the same network. I even got a new promiscuous compatible NIC card but still nothing. I use Windows 7 and I have also tried using Wireshark on Kali Linux but nothing shows apart from my own traffic. The traffic from my phone or other devices are not there. Any ideas? Thanks. asked 20 Oct '16, 05:29  kenjac |
One Answer:
This is expected behavior. A good discussion of this topic from one of the people who frequent this site: https://blog.packet-foo.com/2016/10/the-network-capture-playbook-part-1-ethernet-basics/ answered 20 Oct '16, 05:41  Bob Jones showing 5 of 6 show 1 more comments |
Thanks, Bob. It's still a bit fuzzy though. How do I know that the modem/router acts as a switch or not? Should I start doing port mirroring in any case as the only solution?
It's not fuzzy, it's crystal-clear once you get behind the "click" :-)
A home router typically contains a hardware switch which exposes most of its ports outside as wired Ethernet ports, and connects the wireless interface and the CPU interface to the remaining two. The wireless interface behaves as a switch too - if a Station wants to send a frame to any destination, including another station, it sends it to the Access Point, and the Access Point either sends it to another Station or to the "hardware" switch, depending on the destination address of the frame. Even if the encryption passphrase is common for all Stations (wpa-psk mode), the actual encryption keys are not, so each Station can "hear" frames the AP is sending to other Stations (or vice versa) but cannot decrypt the data (unless it took some preparative measures).
To check whether I've written it comprehensively, try to figure out why port mirroring on the hardware switch, even if it would be available on a home router which is pure sci-fi, would not allow you to capture traffic between two wireless Stations.
What you would be able to capture would be the traffic between any of your LAN (both wired or wireless) devices and the rest of the world, but only if you would have access to the connection between the router part and the modem part. This may be possible using some open source router softwares where you may run tcpdump on the internal interface between the router and the modem, and it is definitely possible if the AP/router role is performed by a physically different device than the modem role, so you can capture at the cable connection between the two.
If you are interested in what your phone is talking about with servers in the internet, you have to find a separate AP, connect it to your home router's wired port using a tapped cable (or another switch with monitoring capability), and let the phone connect to that AP's SSID rather than the home router's one. This way, the traffic passes through the tap or monitoring switch and you can capture it.
Same case if you want to capture what two of your Stations (e.g. a phone and a printer) discuss - you have to "connect" each of them to another AP and capture on the interconnection between the APs.
Thanks Sindy for the comprehensive explanation! I believe though port mirroring would work if I log in to my router and tell it to forward all traffic to my own station - I cannot see a reason (maybe not yet) why this would not work?
In the meantime, I will install a second router as the AP you are talking about and through that I would hopefully be able to achieve that. I have some understanding of networks topologies but the thing that got me confused is examples of let's say hotel WIFIs. I have read and heard that "just turn in the laptop, fire up wireshark and you have the traffic of any network". But it seems like it never worked so I started doubting the whole concept.
But thanks for your overview, I will definitely try it out.
I have problems to believe it because I haven't seen a single home router which would support port mirroring at least on the wired switch. Even if it would, still the wireless part as a whole is normally connected to a single port of the wired switch, so even if you could activate station monitoring on the "wireless switch" part somehow, you wouldn't have a physical connection to deliver that data to an external port of the wired switch.
If your ISP does provide home routers equipped with such capabilities, I envy you your ISP :-)
This is close to truth if
you have as many last models of Macbooks as there are frequency channels in use on the site where you want to capture,
all the WLANs on the site are not encrypted, or at worst they use WPA and you know the pre-shared WPA keys of all of them
if you come early enough in the morning to capture the association phase of all wireless clients. Without capturing the association phase, you won't capture the EAPOL exchange which you need to be able to decipher the WPA encrytion of that particular client.
I travel some for business and most of the hotels I stay in use WiFi that is not encrypted. So in a sense, often (too often!) it is as simple as you suggest. However, you need the correct hardware. With Windows it is difficult, and other systems have their own challenges to get at this type of WiFi traffic. No question Mac laptops make it easy, if you have one.
I developed/deliver a Cybersecurity training class within our company and demonstrate what I pick up in hotels using this method - when you start pointing out the information leakage that can occur it can be scary.
Mirror ports or network taps are the way to go, but as @Sindy says, it is unlikely you will have one with retail equipment. We can guide you to some inexpensive options if you want.
@sindy: see https://ask.wireshark.org/questions/8541