setup: 1 pc connected to a switch ( with wlan ) ( 192.168.1.10 ) 1 notebook connected to the same switch via wlan ( 192.168.1.20 ) question: why is it not possible to see the traffic from the notebook which is connected to the same switch ? i have to use cain/able to arp-poison the connection to the router to re-route the traffic, but shouldnt it be possible to see the traffic just with the promisc. mode activated on the pc ( 192.168.1.10 ) to capture the traffic from the notebook ( 192.168.1.20 ) without arp-poisening ? asked 01 Apr '13, 14:28 supr3m3 |
One Answer:
"Switch" generally refers to Ethernet switches; if not, it's usually an ATM or perhaps Token-Ring switch, all wired. Wireless technologies don't have a switched medium - they just have the electromagnetic field, in some range of frequencies, typically radio. There are Wi-Fi access points, but they're generally not considered "switches" at the Wi-Fi level, although they might include an Ethernet switch (if they have more than one Ethernet port). What sort of switch is this? Is it, for example, a Wi-Fi access point with multiple Ethernet port, so that it includes both an Ethernet switch and an Ethernet-to-Wi-Fi router? If so, then, if your two computers are connected to the access point via Wi-Fi, the only traffic they'd be able to see is Wi-Fi traffic; they won't be able to see any traffic between hosts plugged into the Ethernet ports. However, in principle, they could see all Wi-Fi traffic between the access point and hosts on the network. However, that might require that the host doing the sniffing put its Wi-Fi adapter into monitor mode rather than promiscuous mode. With Wireshark (and thus with libpcap/WinPcap, which are what Wireshark uses for traffic capture), that's only possible on Linux, OS X, and *BSD; it's not possible on Windows. There are other programs that can support monitor mode on Windows; Microsoft Network Monitor (which can be downloaded for free) supports it on Windows Vista and later (it does not support it on Windows XP or earlier) if your machine's Wi-Fi adapter's driver supports NDIS 6's "Native Wi-Fi" including monitor mode, and other applications such as Tamosoft CommView for Wi-Fi and Wildpackets OmniPeek (which can't be downloaded for free, although you might be able to get "trial" versions with a timeout) may support it even on earlier versions of Windows if they have a driver for the adapter. For WinPcap, you can get an AirPcap adapter, which is a specialized USB Wi-Fi adapter that doesn't work as a regular Wi-Fi adapter but does work for capturing Wi-Fi traffic on Windows. However, none of that is sufficient on a "protected" Wi-Fi network, i.e. one using WEP or WPA/WPA2 encryption. For that, you need a sniffer that supports WEP and WPA/WPA2 decryption, you need to give that sniffer the password for the network and, for WPA/WPA2 encryption, you need to capture the initial setup frames for any machine whose traffic you want to decrypt. For Wireshark, see the "how to decrypt 802.11" page on the Wireshark Wiki; for other sniffers, see their documentation (or have Wireshark read their capture files, which should be possible, in newer versions of Wireshark, for all the sniffers mentioned earlier). answered 02 Apr '13, 00:29 Guy Harris ♦♦ thx for your answer, but i think we miss the point of the question over here: maybe i explain the setup again: 1 computer is connected via network cable to the AP 1 notebook is connted to the same AP via wireless. my assumption is: when i fire up wireshark on the computer in promisc. mode, i cann see all the traffic from the local computer ( obvious ) AND from all computers which are connected through wire to the same AP ? is that correct ? why cant i see ANY packets from a device which uses a different "medium" to connect to the AP ? shouldnt it be completly irrelevant how the devices connect to the switch ? (02 Apr '13, 00:58) supr3m3 1
More accurately, this time, it appears.
That's not what you said in your original question. What you said there was:
You said nothing about the first computer being connected to the switch via a network cable. You said "(with wlan)", which could be interpreted as meaning that the first computer was connected to the switch via Wi-Fi. So: The computer with the Wi-FI interface can, in monitor mode, see all Wi-Fi traffic. However, the only Ethernet traffic it could see would be Ethernet traffic that arrives on its Ethernet interface, so, unless it's also plugged into an Ethernet network, it won't see any Ethernet traffic. The computer with the Ethernet interface can, in promiscuous mode, see all Ethernet traffic that arrives on its Ethernet interface. On a switched network, that will not necessarily be all traffic going through the switch; see, for example, the Wireshark Wiki's "how to capture on Ethernet" page. So:
Not necessarily. If the AP is a switch, you won't necessarily see all traffic through the switch.
No, it shouldn't be. Only Wi-Fi traffic that's routed to a host on the Ethernet will show up to a host sniffing on the Ethernet, and even then, that will only happen if that host is getting all traffic through the Ethernet switch routed to it, which might require special configuration of the switch on the AP, or might simply be impossible if the AP's switch doesn't support that. (02 Apr '13, 01:11) Guy Harris ♦♦ |
"Switch" generally refers to Ethernet switches; if not, it's usually an ATM or perhaps Token-Ring switch, all wired. Wireless technologies don't have a switched medium - they just have the electromagnetic field, in some range of frequencies, typically radio. There are Wi-Fi access points, but they're generally not considered "switches" at the Wi-Fi level, although they might include an Ethernet switch (if they have more than one Ethernet socket).
What sort of switch is this? Is it, for example, a Wi-Fi access point with multiple Ethernet sockets, so that it includes both an Ethernet switch and an Ethernet-to-Wi-Fi router?