This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why don’t I see all of the information I want?

0

I am testing wireshark for learning purposes. I wanted to try out a tutorial that hacks a facebook account stealing cookie information. I couldn't manage to hack my facebook account because wireshark is sending me truncated packets that I can't get cookie info out of.
This is the topography of the network: my desktop PC is connected to the Internet to a hub (D-LINK router) via LAN (ethernet cable). I have a notebook connected to Internet via Wi-Fi to the same hub (D-LINK router). I access facebook on my notebook on WIN XP OS. I monitor the packets with wireshark on my desktop PC on Ubuntu 12.04 OS. I only get worthless truncated cookie information. Why is that?
My capture interfaces are:

  1. eth0
  2. Pseudo device that captures on all interfaces
  3. USb1
  4. USB 2
  5. lo

I tried to capture on all interfaces (except usb 1, 2) but the same thing. I can't get cookie information from my notebook. I only get NBNS, DNS, Browser, IGMP, SSDP protocol type of packets. I get some HTTP but not facebook cookie with 'datr' line. It is just anoying. It seems so easy in the tutorial. Anyone could help me with this?

asked 30 May '12, 11:53

pahunrepublic's gravatar image

pahunrepublic
1111
accept rate: 0%

edited 30 May '12, 12:09

multipleinterfaces's gravatar image

multipleinte...
1.3k152340


One Answer:

0

Your D-LINK router is probably a switch, not a hub (See the Ethernet Capture Setup article). As such, you are only going to see broadcast data on your Ubuntu PC. If, by some chance, your router supports spanning/mirroring traffic, then you should set that up. Otherwise, you'll need to actually insert a hub somewhere.

answered 30 May '12, 12:07

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

So it means I won't get any cookie info with a router or with my network topology.

(31 May '12, 07:10) pahunrepublic

That is correct; as cookie data is sent unicast, only the intermediary and endpoint nodes will see that data. The only exception to that rule is when using a hub, all nodes connected to that hub will receive a copy of the data. Your best bet is probably to ditch the wireless connection and connect via ethernet both the laptop and PC into the same hub, and then connect that hub to the router.

(31 May '12, 10:23) multipleinte...
1

I wanted to try out a tutorial that hacks a facebook account stealing cookie information

I wonder why you want to hack a facebook account?

(31 May '12, 10:31) Kurt Knochner ♦