Looking at the logs on my home router, I'm noticing several MAC addresses I don't recognize. I have several devices connected to my home network, all of which I know the MAC address for. My suspicion is that someone has hacked my WPA2 password and is using my network to access the internet.
This MAC address (and a few others) seem to be on my network at random times with no discernable pattern. What I would like to do is set up a Win7 computer on my network with Wireshark. I then want Wireshark to begin capturing packets when it sees a MAC address that isn't one of the devices on my network and to stop capturing packets once those rogue MAC addresses drop off my network.
I want to be able to analyze the packets, see the pages they are visiting, rebuild and see any files they are uploading/downloading, etc. Essentially I'd like to have a copy of all the rogue traffic that passes through my network for my own analysis. Is this possible to achieve with Wireshark and how would I go about doing that?
Edited to add: The machine I'd like to run Wireshark on would be a Windows 7 machine, preferably.
asked 18 Jun '13, 13:49
edited 18 Jun '13, 14:01
That sounds more like your TV, DVD player or other Audio/Video device is configured to use your network.
Yes, you can also use a filter to not capture traffic to/from known mac-addresses in your network with the filter "not (ether host <knownmac1> or <knownmac2> or ... or <knownmacx>)".
However, that will still capture some broadcasts which might fill up the capture file unnecessary.
As for capturing the traffic, have a look at:
to decide how to capture the traffic in your specific network setup.
Although it would be interesting to see the traffic, you might also consider to just change the WPA2 password :-)
answered 19 Jun '13, 08:22
Yes you can do this analysis with wireshark.
Isolate Credible Unicast traffic, Isolate credible Broadcast traffic(ARPs Originating from your machines) Isolate Credible Multicast traffic.
(If rouge is sending broadcast frames then u need to tweak ur capture filters accordingly.)
Construct a capture filter that won't capture above mentioned frames
not ether host xx:xx:xx:xx:xx:xx is the capture trigger for telling that don't capture to/from traffic from this mac.
not ether host myhost1mac or not ether host myhost2mac or not ether host myhost3mac or (not broadcast and not multicast)
Let us wait for expert opinion to optimize this.
answered 18 Jun '13, 15:01
edited 18 Jun '13, 15:09