This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to on the gateway differ source IP of HTTP packets from different computers from the nat network?

0

Hi to all!

I have next situation. My home computer has 100 Mbit cabel internet connection. Cabel from internet provider connected to network card in my PC. I have real IP address (for example 150.140.130.120) Also I have simple USB wifi modem witch can work as access point. I use Connectify Hotspot software to share my internet connection via wifi to other people and for my mobile devices also. All users who connected to my wifi have IP address 192.168.77.xxx)

My task: I want to see what web-sites users of my wifi point visits. I start Wireshark to capture packets from both interfaces (1st - is my real network card with internet cabel from my provider; 2nd - my wireless connection (it is created automatically by Connectify hotspot)). On both interfaces packets count permanently increases, little bit faster on real network connection, that is right. In the list of captured packets in Wireshark I see all HTTP GET\POST queries and Full request URI. I use this filter: http.request and http.request.method != M-SEARCH But I have one big problem... In all packets Source address is identical. And it equal IP address of my PC (150.140.130.120). I cant see source IP address from wifi users (their IP address should be from 192.168.77.xxx subnetwork). Also I cant see source IP address of packets from my mobile device. I can see all HTTP queries from my mobile device, but source of all packets is 150.140.130.120, but should be 192.168.77.59). If I try to use other filter like this (ip.addr == 192.168.77.59), I cant see packets with HTTP GET\POST queries and Full request URI. I see only TCP, UDP, DNS packets and some HTTP packets but without GET\POST\URI headers. if I do not use any filters then same situation (i see packets but with real IP address of my PC 150.140.130.120), and many more other low-level packets. Maybe on gateway PC I need to some configure Wireshark to see correct IP addresses. Or maybe i need to use some solutions for NAT networks. I dont know...

Please, help me to solve this problem. Thanks in advance!

asked 17 Nov '13, 11:51

SergeyV's gravatar image

SergeyV
11112
accept rate: 0%


One Answer:

0

Also I have simple USB wifi modem witch can work as access point. I use Connectify Hotspot software to share my internet connection via wifi
start Wireshark to capture packets from both interfaces (2nd - my wireless connection (it is created automatically by Connectify hotspot)). On both interfaces packets count permanently increases,

O.K. apparently Connectify creates a 'virtual' interface that Wireshark is able to capture traffic, otherwise you would not see the counter increase on both interfaces. However as you don't see the internal addresses (192.168.77./24) I assume that WinPcap (the capture library of Wireshark) get only the already translated (NATed) packets from the 'virtual' interface. If that's the case, there is nothing you can do in Wireshark (configuration) to make it work, as it's apparently a limitation of Connectify.

To be absolutely sure, I suggest to capture only on the 'virtual' wifi interface and then check if you see any addresses from the network 192.168.77.0/24.

BTW: A similar problem with Connectify has been reported earlier.

http://ask.wireshark.org/questions/9375/unable-to-capture-soap-response

Only solution in your environment: Get another PC/Laptop and capture the wifi/wlan traffic instead of the interfaces on the PC with Connectify.

http://wiki.wireshark.org/CaptureSetup/WLAN

Regards
Kurt

answered 17 Nov '13, 17:16

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 17 Nov '13, 17:17