I would like to capture the traffic of one wireless device on my wireless network. I have placed a switch between the Wireless router and my DSL modem and am port forwarding traffic to a laptop. When I capture traffic all I see is the IP address of the Wireless router. Is there a way to capture just the traffic of the one wireless device? asked 14 May '13, 06:28  Tanuki |
2 Answers:
Looks like you're capturing the packets after they have been through the Network Address Translation (NAT) process. In that process the internal IPs are replaced with your public IP. Unfortunately you cannot capture the internal IP addresses on the outside of a NAT gateway. The only workaround is to dump the NAT table to see what external connection represents what internal connection, but not all devices support this, and it is tedious work. It may be easier to try and capture the WiFi traffic directly, but that is a bit more complicated. On Windows you'd need an AirPCAP adapter, while on Linux etc. you need to enable monitor mode manually before running Wireshark. answered 14 May '13, 06:41  Jasper ♦♦ |
As @Jasper said, your wireless router is doing NAT. If your DSL modem is also doing NAT, then you could decide to configure your wireless router to work in bridging mode. That way, the traffic from the wireless clients will no longer be translated and you can use the current capture setup to monitor a specific client. answered 14 May '13, 07:00  SYN-bit ♦♦ Thank you both for your help. I will try putting the router in bridge mode tonight and report back tomorrow. (14 May '13, 09:33) Tanuki |
...and while on OS X you need to check the monitor mode checkbox (that doesn't currently work on most Linux systems, for various reasons; it may work on some *BSD systems, but not all).
Note also that on a "protected" network (i.e., a network using WEP or WPA/WPA2, on which the traffic is encrypted), you will have to arrange that the traffic can be decrypted.