Hi, I use Colasoft to analyze Packets on my router. When I open .cap (generated by colasoft) in Wireshark, the info says Ethernet II. But In colasoft, when I run it on my System IP, the data shows fine in Wireshark..... Here is the link for .cap file. https://drive.google.com/file/d/0B2MDYkJV41GMcnh4OTAyVUFZUXM/view?usp=sharing Please help me with this one asked 05 Oct '14, 14:31  Points edited 05 Oct '14, 15:02  Guy Harris ♦♦ |
One Answer:
Those aren't Ethernet packets, they're 802.11 packets, but whatever Colasoft program wrote them (Capsa? nGenius?) put a link-layer header type of LINKTYPE_ETHERNET into the file header. I.e., whatever Colasoft program wrote that file is buggy. Report the bug to Colasoft and tell them that if they're writing 802.11 packets to a pcap file, they must set the link-layer header type in the pcap file header to 105, which is LINKTYPE_IEEE802_11, not to 1, which is LINKTYPE_ETHERNET. The lists of link-layer header types for pcap and pcap-ng files is at http://www.tcpdump.org/linktypes.html; please point them to that page. As a workaround, you can use the editcap program, which is a command-line program that comes with Wireshark. Run the command (you may have to give the full path to answered 05 Oct '14, 14:51 Guy Harris ♦♦ edited 05 Oct '14, 15:01 showing 5 of 7 show 2 more comments |
Thank you. That Worked perfectly. You are a genius. I have one more question, Is there any possibility where I can analyze the packets on the router instead of using Colasoft ?. (I have been able to analyze packets on my local machine not the router. so, i decided to go for Colosoft).
I.e., run a program on the router to analyze the packets? Or run a program on the router to capture the packets and then move the capture to another machine to read it?
No, I meant how to capture packets on the router instead of capturing on the local machine?( Run a program on PC to capture packets on the router) wiki.wireshark.org says this can be possible by enabling Adapter into Promiscuous mode. but i dont understand how to set my adapter to Promiscuous mode. please help
What type of router do you have? The answer would depend on that (and the answer might, for at least some routers, be "that's not possible").
Ultimately, some program on the router will have to capture the packets; perhaps a program on the PC can send a network message to the software on the router to tell it to capture packets, but as the interface on which you're capturing is on the router, the software will have to run on the router.
I doubt it says that. If you are on a non-switched Ethernet, or have plugged your machine into a "mirrored port" on a switched Ethernet, you can, in a program running on your machine, capture traffic going to and coming from another host on your Ethernet, by putting your the Ethernet interface on your machine into promiscuous mode, and if you are on a Wi-Fi network, you can, in a program running on your machine, capture traffic going to and coming from another host on your Wi-Fi network, by putting the Wi-Fi interface on your machin einto monitor mode - Wireshark (and TShark and tcpdump) will put the adapter into promiscuous mode by default, and can be told to put - but that's not doing the capture on that other machine itself. Colasoft's programs will probably do the same thing that Wireshark/TShark/tcpdump/etc. do, by putting the adapter into promiscuous or monitor mode.
You do so by using Microsoft Network Monitor or possibly Microsoft Message Analyzer, CommView for WiFi, or some other packet analyzer that supports monitor mode, and using whatever UI it has for capturing in monitor mode, or by getting an AirPcap adapter and using that to do the capturing with Wireshark.
but then, thats not using wireshark. Microsoft Network Monitor does the same as colasoft.... I want Wireshark to be in monitor mode to capture the data. Is it possible?
Not on Windows with a regular Wi-Fi adapter.