This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture Traffic From Rogue MAC Address Only

0

Looking at the logs on my home router, I'm noticing several MAC addresses I don't recognize. I have several devices connected to my home network, all of which I know the MAC address for. My suspicion is that someone has hacked my WPA2 password and is using my network to access the internet.

This MAC address (and a few others) seem to be on my network at random times with no discernable pattern. What I would like to do is set up a Win7 computer on my network with Wireshark. I then want Wireshark to begin capturing packets when it sees a MAC address that isn't one of the devices on my network and to stop capturing packets once those rogue MAC addresses drop off my network.

I want to be able to analyze the packets, see the pages they are visiting, rebuild and see any files they are uploading/downloading, etc. Essentially I'd like to have a copy of all the rogue traffic that passes through my network for my own analysis. Is this possible to achieve with Wireshark and how would I go about doing that?

Thanks, SandTiger

Edited to add: The machine I'd like to run Wireshark on would be a Windows 7 machine, preferably.

asked 18 Jun '13, 13:49

sandtiger333's gravatar image

sandtiger333
14115
accept rate: 0%

edited 18 Jun '13, 14:01

1

You say:

Looking at the logs on my home router, I'm noticing several MAC addresses I don't recognize.

my questions:

  • what kind of internet connection is that (DSL, cable TV)? In certain configurations (cable tv) it's kind of "normal" to see external mac addresses in the logs.
  • where in the logs did you see those mac addresses (wifi log, dhcp log)
  • what are the first three bytes of those mac addresses (vendor code)?
(19 Jun '13, 06:06) Kurt Knochner ♦
  1. Cable. However, I am looking at the DHCP table on my Airport Extreme base station. It lists clients by MAC address as well as each MAC's assigned IP address at the time.

  2. See above.

  3. All of my devices are Apple/Mac and vendor codes reflect that. Rogue MAC addresses are not Apple/Mac.

Thanks for the discussion.

Edit to add: All of my devices are currently Apple/Mac. The device I plan to add to my network for running Wireshark will be a Windows 7 device. I just wanted to know the feasibility of doing what I propose before spending the time to install the OS, update, install Wireshark, etc.

(19 Jun '13, 07:27) sandtiger333
1

Assuming the list of "Rogue" mac-addresses is short and pretty constant, you can create a capture filter like this:

ether host <mac1> or <mac2> or <mac3> ...

And then run the capture for a long time, as it will only capture traffic from the rogue addresses.

The machine I'd like to run Wireshark on would be a Windows 7 machine, preferably.

Hmm... so not all machines on your network are Apple ;-)

(19 Jun '13, 07:34) SYN-bit ♦♦
1

However, I am looking at the DHCP table on my Airport Extreme base station.

O.K. that's kind of odd if that Airport is behind the router (as I assume).

What are those vendor codes? Maybe you TV (or fridge) is also connected to the LAN and received an IP address.

(19 Jun '13, 07:38) Kurt Knochner ♦

One of the MAC addresses I'm seeing in my logs is: 00:0f:12:77:06:60. It comes up as "Panasonic AVC Network" which I'm assuming is someone's wireless card. Probably a model typically used to inject packets for breaking into wireless networks using Backtrack or something.

Edit to add: I've an AppleTV device, a few Apple laptops, two iPhones and an iPad. The only other devices in my home with NICs are the box I intend to install Win7 and Wireshark on and my television. There's nothing plugged in to the television NIC and I have it disabled in the television's control panel. The future-Win7 box is currently blank, unplugged and gathering dust in my basement.

(19 Jun '13, 07:50) sandtiger333

[quote]"Assuming the list of "Rogue" mac-addresses is short and pretty constant, you can create a capture filter like this:

ether host <mac1> or <mac2> or <mac3> ... And then run the capture for a long time, as it will only capture traffic from the rogue addresses.

The machine I'd like to run Wireshark on would be a Windows 7 machine, preferably.

Hmm... so not all machines on your network are Apple ;-)"[/quote]

Would I be able to set Wireshark to capture traffic from clients not on, say, a whitelist that I set using my all of my clients' MAC addresses? Like in "krishnayeddula"'s post saying the Wireshark syntax would be:

"not ether host [MyAuthorizedClientOne] or [MyAuthorizedClientTwo] or [MyAuthorizedClientThree]"

Good catch on the "all my clients are Mac/Apple" statement. I added an edit to say the device I'll run Wireshark on will be a Win7 box I'll set up if I know Wireshark is capable of doing what I'd like it to do.

(19 Jun '13, 07:57) sandtiger333

Gack. Off-topic comment: New to these forums and trying to figure out how to cleanly quote comments. Please pardon the bad formatting till I figure that out.

(19 Jun '13, 08:04) sandtiger333

On the other hand, I can set up my DHCP server to hand out static addresses to each of my devices, but then hand out dynamic IP addresses to other devices that attach to my network. Would it be better/easier/cleaner to set up Wireshark to capture traffic only from IP addresses not within my assigned static range?

I tried filtering the traffic using the MAC address string above and was still seeing traffic being captured from my "approved" devices. I guess that leads me to ask the question: if I'm running Wireshark and seeing traffic scrolling down the screen as it's being captured...is all of that traffic being saved to the .pcap file or does the filtering happen only when saving to the .pcap file?

(29 Jun '13, 08:55) sandtiger333
showing 5 of 8 show 3 more comments

2 Answers:

1

One of the MAC addresses I'm seeing in my logs is: 00:0f:12:77:06:60. It comes up as "Panasonic AVC Network"

That sounds more like your TV, DVD player or other Audio/Video device is configured to use your network.

Yes, you can also use a filter to not capture traffic to/from known mac-addresses in your network with the filter "not (ether host <knownmac1> or <knownmac2> or ... or <knownmacx>)".

However, that will still capture some broadcasts which might fill up the capture file unnecessary.

As for capturing the traffic, have a look at:

to decide how to capture the traffic in your specific network setup.

Although it would be interesting to see the traffic, you might also consider to just change the WPA2 password :-)

answered 19 Jun '13, 08:22

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for the info. Your confirmation on how to capture traffic that isn't one of my known clients' MAC addresses answers my question.

As to discarding broadcast traffic, I'll post later to ask how to tweak that once I get Wireshark up and running.

As to the rogue device I listed: I'm not too concerned about the MAC address captured as I know there are MAC address changer utilities available to mask a given NIC's MAC address and that hackers tend to use that when breaking into someone's wireless network.

I thought about changing my WPA2 password and completely agree that this would do away with my problem. But it would also do away with this neat learning opportunity I've been presented with :-) I'm a brand-new CCNA and am working to deepen my knowledge to become a guru like you.

(19 Jun '13, 08:37) sandtiger333

1

Yes you can do this analysis with wireshark.

Isolate Credible Unicast traffic, Isolate credible Broadcast traffic(ARPs Originating from your machines) Isolate Credible Multicast traffic.

(If rouge is sending broadcast frames then u need to tweak ur capture filters accordingly.)

Construct a capture filter that won't capture above mentioned frames

not ether host xx:xx:xx:xx:xx:xx is the capture trigger for telling that don't capture to/from traffic from this mac.

Example:

not ether host myhost1mac or not ether host myhost2mac or not ether host myhost3mac or (not broadcast and not multicast)

Let us wait for expert opinion to optimize this.

answered 18 Jun '13, 15:01

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 18 Jun '13, 15:09

Sounds promising, thanks. Looking forward to hearing more about it.

(19 Jun '13, 05:43) sandtiger333