This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I'm using an Intel Centrino Ultimate-N 6300 AGN network adapter on Windows 8.1. I'm trying to capture the traffic from my mobile phone(s) which are all connected to my home network. I've switched the various phones (iPhone/ Android & Windows) onto airplane mode so I'm definitely going via the WiFi. I've got the interface set to capture in promiscuous mode.

However I am not capturing any thing from the phones other than ARP packets outbound from the phones but no responses and no other packets. I suspect that my network card (or the driver) simply doesn't have the capability to be "truly promiscuous" (to coin a phrase) - would anyone have any insight into this please?

Thank you in advance

JG

asked 12 Feb '15, 13:43

joaneybee's gravatar image

joaneybee
6112
accept rate: 0%


I suspect that my network card (or the driver) simply doesn't have the capability to be "truly promiscuous" (to coin a phrase)

It's called "monitor mode", and the adapter probably supports it, and there's a good chance that the driver does. However, WinPcap, which Wireshark uses to capture traffic on Windows, doesn't support monitor mode.

permanent link

answered 13 Feb '15, 00:09

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hi Guy, Thanks so much for your speedy response. So, does this mean that I can't use Wireshark on Windows 8.1 to capture wireless traffic? Should I switch over to Linux or some other O/S?

Kind regards, Joan

(13 Feb '15, 13:03) joaneybee

You can, but only with the an AirPcap adapter (which does not work as a regular Wi-Fi adapter, just as a packet-capture adapter).

The alternatives are:

  1. use another program on Windows that can use the Windows Vista and later mechanisms for monitor-mode capturing, such as Microsoft Network Monitor, Microsoft Message Analyzer, or various other applications;
  2. use another operating system, such as Linux.

Note that you could use Linux under a virtualizer such as Parallels Workstation or VMware Workstation, and use a USB Wi-Fi adapter - start Linux in a virtual machine, plug the USB stick in, and tell Parallels/VMware to attach it to the virtual machine rather than the Windows host (I'm assuming that works in both Parallels and VMware; it works in VMware Fusion on OS X).

(13 Feb '15, 14:26) Guy Harris ♦♦

Guy, Thank you so much. You are a mine of information - thank you for sharing.

Kindest regards,

Joan

(13 Feb '15, 16:34) joaneybee

Hi Guy,

Back again!!

I've now tried a variety of configurations and still to no avail!

  1. Windows 8.1 & Centrino Ultimate 6300-N wireless adapter
  2. Windows 8.1 Host, Virtual Box with Kali Linux Guest, bridged Centrino wireless adapter
  3. Windows 8.1 Host, Virtual Box with Kali Linux Guest, RT73 USB Wlan adapter
  4. Kali Linux Host with Centrino wireless adapter
  5. Kali Linux Host with RT73 USB Wlan adapter
  6. Windows 8.1 & Windows Message Analyzer (each adapter tried with this).

None of these configurations are either seeing or capturing the mobile phone packets.

What on earth am I doing wrong here? If I purchase an AirPCap device will it be able to do what I need (eg capture the mobile device traffic)?

Sorry for sounding completely dumb here, I've no doubt the issue is between keyboard and chair (!) but I'm at a complete loss as to what to do next, and would really appreciate a steer.

Kind regards,

Joan

(22 Feb '15, 15:19) joaneybee

Running Wireshark on Windows without AirPcap, you will not be able to capture in monitor mode; there's nothing you can do there.

Running Network Monitor or Message Analyzer on Windows, you might be able to capture in monitor mode if the adapter's driver correctly supports the "Native 802.11 Wireless LAN" feature, including the "Network Monitor Operation Mode"; many drivers apparently do not support that. I don't know which ones do and which ones don't; you'll have to ask the vendor. Even if they do support it, if you're capturing on a "protected" network - i.e., one using WEP or WPA/WPA2, so that the traffic on the network is encrypted in order to make it harder to sniff - they might not support decrypting the traffic, so it might not look as if you're seeing the traffic. If you save the file in Network Monitor or pcap format, you may be able to read the file in Wireshark and, if you supply the network's password and, for WPA/WPA2, you have captured the "EAPOL handshake", you might be able to decrypt it in Wireshark.

Running Wireshark on Linux on a virtual machine, you might be able to capture in monitor mode, although you may have to use airmon-ng to turn monitor mode on and, if you then capture on the monitor-mode device airmon-ng creates, you will have the same problems with "protected" networks as described in the previous paragraph.

Running Wireshark on Windows with an AirPcap device, you should be able to capture the traffic, but, again, decryption is necessary. I'm not sure whether the AirPcap card can do the decryption itself or not but, if so, you'll need to supply the network's password and, for WPA/WPA2, you'll have to capture the "EAPOL handshake".

(22 Feb '15, 19:11) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×12
×2
×1

question asked: 12 Feb '15, 13:43

question was seen: 3,109 times

last updated: 22 Feb '15, 19:11

p​o​w​e​r​e​d by O​S​Q​A