Hi, I'm using an Intel Centrino Ultimate-N 6300 AGN network adapter on Windows 8.1. I'm trying to capture the traffic from my mobile phone(s) which are all connected to my home network. I've switched the various phones (iPhone/ Android & Windows) onto airplane mode so I'm definitely going via the WiFi. I've got the interface set to capture in promiscuous mode. However I am not capturing any thing from the phones other than ARP packets outbound from the phones but no responses and no other packets. I suspect that my network card (or the driver) simply doesn't have the capability to be "truly promiscuous" (to coin a phrase) - would anyone have any insight into this please? Thank you in advance JG asked 12 Feb '15, 13:43 joaneybee |
One Answer:
It's called "monitor mode", and the adapter probably supports it, and there's a good chance that the driver does. However, WinPcap, which Wireshark uses to capture traffic on Windows, doesn't support monitor mode. answered 13 Feb '15, 00:09 Guy Harris ♦♦ |
Hi Guy, Thanks so much for your speedy response. So, does this mean that I can't use Wireshark on Windows 8.1 to capture wireless traffic? Should I switch over to Linux or some other O/S?
Kind regards, Joan
You can, but only with the an AirPcap adapter (which does not work as a regular Wi-Fi adapter, just as a packet-capture adapter).
The alternatives are:
Note that you could use Linux under a virtualizer such as Parallels Workstation or VMware Workstation, and use a USB Wi-Fi adapter - start Linux in a virtual machine, plug the USB stick in, and tell Parallels/VMware to attach it to the virtual machine rather than the Windows host (I'm assuming that works in both Parallels and VMware; it works in VMware Fusion on OS X).
Guy, Thank you so much. You are a mine of information - thank you for sharing.
Kindest regards,
Joan
Hi Guy,
Back again!!
I've now tried a variety of configurations and still to no avail!
None of these configurations are either seeing or capturing the mobile phone packets.
What on earth am I doing wrong here? If I purchase an AirPCap device will it be able to do what I need (eg capture the mobile device traffic)?
Sorry for sounding completely dumb here, I've no doubt the issue is between keyboard and chair (!) but I'm at a complete loss as to what to do next, and would really appreciate a steer.
Kind regards,
Joan
Running Wireshark on Windows without AirPcap, you will not be able to capture in monitor mode; there's nothing you can do there.
Running Network Monitor or Message Analyzer on Windows, you might be able to capture in monitor mode if the adapter's driver correctly supports the "Native 802.11 Wireless LAN" feature, including the "Network Monitor Operation Mode"; many drivers apparently do not support that. I don't know which ones do and which ones don't; you'll have to ask the vendor. Even if they do support it, if you're capturing on a "protected" network - i.e., one using WEP or WPA/WPA2, so that the traffic on the network is encrypted in order to make it harder to sniff - they might not support decrypting the traffic, so it might not look as if you're seeing the traffic. If you save the file in Network Monitor or pcap format, you may be able to read the file in Wireshark and, if you supply the network's password and, for WPA/WPA2, you have captured the "EAPOL handshake", you might be able to decrypt it in Wireshark.
Running Wireshark on Linux on a virtual machine, you might be able to capture in monitor mode, although you may have to use airmon-ng to turn monitor mode on and, if you then capture on the monitor-mode device airmon-ng creates, you will have the same problems with "protected" networks as described in the previous paragraph.
Running Wireshark on Windows with an AirPcap device, you should be able to capture the traffic, but, again, decryption is necessary. I'm not sure whether the AirPcap card can do the decryption itself or not but, if so, you'll need to supply the network's password and, for WPA/WPA2, you'll have to capture the "EAPOL handshake".