I have a legal requirement to log all data passing through a wireless router. Is this something Wireshark can do, assuming the router has a promiscuous mode available? Does Wireshark have any features to facilitate this (automated mode, starting a new file at 00:00 each day, etc.)? asked 05 May '11, 08:00  Brian Lewis edited 05 May '11, 09:16  cmaynard ♦♦ |
2 Answers:
Yes, [I believe] Wireshark can capture all user data through the wireless router. See CaptureSetup/WLAN. Also see CaptureSetup/Ethernet on how you could setup the physical connections of your Wireshark host and router (e.g., router --> Wireshark host --> modem). Wireshark can start a new capture file every day. See Capture Options. In the Capture Files(s) group box:
answered 05 May '11, 08:26  bstn edited 05 May '11, 08:33 |
You will likely run out of memory if you try to run Wireshark continuously for an entire day. And if you don't roll to the next file more frequently than once a day, you will probably end up with gigantic capture files that will be unmanageable. Instead, you should consider using dumpcap and rolling files more frequently than once a day, as well as limiting the maximum size of each capture file to something more manageable. Rather than retype everything here, you might want to refer to my first comment in this question for more information or search the site for references to dumpcap. answered 05 May '11, 09:14 cmaynard ♦♦ |
IANAL (I am not a lawyer).
That being said, it seems to be that in my wanderings on the web I recently saw something about legal/technical requirements for a capture to be admissible in a court of law.
I got the impression that capturing from a span/monitoring router port might not be acceptable due to issues re guaranteeing that all packets are actually captured. (I'm guessing using a span/monitoring port is what you mean by "promiscuous mode").
So: I suggest you may want to get legal advice from someone qualified in this type of matter.