I'm a total noobie to this. My ultimate goal is to look at what info is "leaked" by my iPhone & Mac laptop when connected to a public WiFi connection. Originally I installed WS on a hard wired computer assuming that the wireless data must ultimately end up on the wired network to hit the router and then be routed to the internet. When I filter for the phone IP and then browse or check mail all I see is MDNS to 224.0.0.251. I then installed WS on a laptop and monitored the wireless interface. Again all I see is MDNS to 224.0.0.251. Can some one give me some insight on this and is it possible to see what is seeking out of my phone? thanks asked 14 Jun '15, 12:37 JackP |
2 Answers:
(I assume this was on your home network, not on a public network.)
The "M" in "MDNS" is key here; it stands for "multicast", and means the traffic you're capturing is multicast traffic, sent out to all hosts in the multicast group, not unicast traffic, sent by one host to another.
I'm guessing that you have some sort of Wi-Fi device that has multiple Ethernet ports, and that you plugged the hardwired computer into one of those Ethernet ports. If so, what you have in that device is probably a combination of an Ethernet switch, a Wi-Fi adapter, and a bridge between Wi-Fi and Ethernet. If the device is a combined cable modem/DSL modem/etc. and Wi-Fi/Ethernet device, the router inside the box either receives traffic directly from the Wi-Fi device and an internal port on the Ethernet switch, or from an internal port on the Ethernet switch, and routes Internet traffic onto the cable/DSL/etc. port. If it connects to a cable modem/DSL modem/etc., the router probably works similarly, except that it routes Internet traffic onto an Ethernet port marked "WAN" or "Internet" or something such as that, sending it to the cable modem/DSL modem/etc.. In any case, this means you're probably dealing with a switched Ethernet - and on a switch that probably does not support "port mirroring" or whatever the vendor would call it. If you have a combined modem/Wi-Fi/Ethernet device, you won't be able to capture the Internet traffic (without some very specialized equipment to sniff on the cable modem/DSL/etc. port, and I'm not sure whether that's even available to you). If you have a separate Wi-Fi/Ethernet device and modem, you could tap the traffic between the device and the modem by using an Ethernet hub (careful, not a "hub" that's really a switch!) or by making the hardwired computer into a "machine in the middle" or by using a network tap or other tricks listed there. You would, of course, also have to capture in promiscuous mode on the Ethernet adapter.
You would have to capture in monitor mode on the laptop, if that's possible; see the Wireshark Wiki article on WLAN capturing. If your network is protected, i.e. if it's using WEP or WPA/WPA2, you will also have to configure Wireshark so that it can decrypt the traffic and, if it's WPA/WPA2, ensure that you capture the "initial handshake" for each of the devices whose traffic you want to decrypt. answered 14 Jun '15, 13:30 Guy Harris ♦♦ |
Some good reading material before trying to capture again:
answered 14 Jun '15, 13:34 Amato_C |