This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how can I capture traffic between two devices on Wi-Fi

0

Hello

I have difficult setup I will try to explain and then ask the question:

(IP-192.168.0.100) -------------- (IP 192.168.0.1) ---------------- (IP 192.168.0.200)

Mobile phone with Wifi --connected -- PC with Wifi USB stick -- connected -- Mobile phone with Wifi

I am running WireShark on my pc and i am capturing traffic that cumming thru the USB port the problem is I cannot see unicast traffic between two mobile devices (between 192.168.0.100 and 192.168.0.200)

I think that my pc doing the routing on this WiFi connection so why i cannot see traffic between this two devices also I see traffic with destination of 192.168.0.1 is there any check box that I need to add or some routing that I need to capture it.

Please advise Thanks in advance Boris Shlichvsoki

asked 19 Aug '13, 06:53

Boris's gravatar image

Boris
16115
accept rate: 0%

edited 19 Aug '13, 13:36

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


One Answer:

1

To capture, on a Wi-Fi network, unicast traffic not sent to or from the capturing machine, you will probably need to capture in monitor mode. The Wireshark Wiki article on WLAN captures gives a lot of detail on that; the way you capture in monitor mode is OS-dependent - newer versions of libpcap on non-Windows OSes, and current versions of Wireshark, attempt to let you do it by checking a checkbox, but, for various reasons, that doesn't necessarily work on Linux or *BSD, and it doesn't work at all on Windows (to capture in monitor mode on Windows, you'd need to capture with a tool such as Microsoft Network Monitor or use an AirPcap device with Wireshark).

Note that, if the network you're on is "protected", using WEP or WPA/WPA2, you will need to be able to decrypt it; details on that are in the Wireshark Wiki article on decrypting 802.11 - note that, for WPA/WPA2, you will need to capture the traffic that appears when the other hosts associate with the network, so you might have to turn the mobile phones off before starting your traffic capture and turn them back on again after the capture starts. Note also that capture filters work on undecrypted packets, so, if the traffic is encrypted, you can't use capture filters on anything at the IP layer (such as IP addresses) or above, you can only filter at the MAC layer (MAC addresses, frame types, and so forth). You can use display filters once the traffic is decrypted, however.

answered 19 Aug '13, 13:43

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hi,

I have installed app that called Microsoft Network Monitor as you advised and applied there monitor mode Now I see all the traffic between all devices it was very helpful

Thanks for your help Guy :-)

(20 Aug '13, 02:01) Boris