This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm a total noobie to this. My ultimate goal is to look at what info is "leaked" by my iPhone & Mac laptop when connected to a public WiFi connection. Originally I installed WS on a hard wired computer assuming that the wireless data must ultimately end up on the wired network to hit the router and then be routed to the internet. When I filter for the phone IP and then browse or check mail all I see is MDNS to 224.0.0.251.

I then installed WS on a laptop and monitored the wireless interface. Again all I see is MDNS to 224.0.0.251.

Can some one give me some insight on this and is it possible to see what is seeking out of my phone?

thanks

asked 14 Jun '15, 12:37

JackP's gravatar image

JackP
6112
accept rate: 0%


(I assume this was on your home network, not on a public network.)

all I see is MDNS

The "M" in "MDNS" is key here; it stands for "multicast", and means the traffic you're capturing is multicast traffic, sent out to all hosts in the multicast group, not unicast traffic, sent by one host to another.

Originally I installed WS on a hard wired computer assuming that the wireless data must ultimately end up on the wired network to hit the router and then be routed to the internet.

I'm guessing that you have some sort of Wi-Fi device that has multiple Ethernet ports, and that you plugged the hardwired computer into one of those Ethernet ports.

If so, what you have in that device is probably a combination of an Ethernet switch, a Wi-Fi adapter, and a bridge between Wi-Fi and Ethernet. If the device is a combined cable modem/DSL modem/etc. and Wi-Fi/Ethernet device, the router inside the box either receives traffic directly from the Wi-Fi device and an internal port on the Ethernet switch, or from an internal port on the Ethernet switch, and routes Internet traffic onto the cable/DSL/etc. port. If it connects to a cable modem/DSL modem/etc., the router probably works similarly, except that it routes Internet traffic onto an Ethernet port marked "WAN" or "Internet" or something such as that, sending it to the cable modem/DSL modem/etc..

In any case, this means you're probably dealing with a switched Ethernet - and on a switch that probably does not support "port mirroring" or whatever the vendor would call it. If you have a combined modem/Wi-Fi/Ethernet device, you won't be able to capture the Internet traffic (without some very specialized equipment to sniff on the cable modem/DSL/etc. port, and I'm not sure whether that's even available to you). If you have a separate Wi-Fi/Ethernet device and modem, you could tap the traffic between the device and the modem by using an Ethernet hub (careful, not a "hub" that's really a switch!) or by making the hardwired computer into a "machine in the middle" or by using a network tap or other tricks listed there.

You would, of course, also have to capture in promiscuous mode on the Ethernet adapter.

I then installed WS on a laptop and monitored the wireless interface.

You would have to capture in monitor mode on the laptop, if that's possible; see the Wireshark Wiki article on WLAN capturing. If your network is protected, i.e. if it's using WEP or WPA/WPA2, you will also have to configure Wireshark so that it can decrypt the traffic and, if it's WPA/WPA2, ensure that you capture the "initial handshake" for each of the devices whose traffic you want to decrypt.

permanent link

answered 14 Jun '15, 13:30

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Some good reading material before trying to capture again:

  1. If you want to capture on the wired network: https://wiki.wireshark.org/CaptureSetup/Ethernet
  2. If you want to capture on the wireless network: https://wiki.wireshark.org/CaptureSetup/WLAN
permanent link

answered 14 Jun '15, 13:34

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×26

question asked: 14 Jun '15, 12:37

question was seen: 23,047 times

last updated: 14 Jun '15, 13:34

p​o​w​e​r​e​d by O​S​Q​A