This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Sniff packets for wireless thermostat

0

I want to be able to capture packets which turn thermostat on and off and ideally, be able to send those to the device, can this be done?

Thanks

asked 19 Jul '15, 12:12

Oleg%20C's gravatar image

Oleg C
1112
accept rate: 0%

I am posting my network configuration so that it helps you help me.

my network configuration

(30 Jul '15, 18:03) Oleg C

3 Answers:

0

Probably,but not easily.

Firstly you need a device cable of capturing the wireless traffic, which likely isn't standard Wifi, then you have to get the device to provide the traffic in a form that Wireshark can understand, either as a pcap type file, or using a facility such as extcap with an external program connecting to the device.

answered 19 Jul '15, 12:22

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Actually, the Nest thermostat apparently uses HTTPS over Wi-Fi with JSON payloads. On the other hand, Honeywell has their own wireless protocol that they use for at least some thermostats, although they also have Wi-Fi thermostats.

(19 Jul '15, 14:06) Guy Harris ♦♦

Hi, Grahamb,

Thanks for replying.

Thermostat is connected to my wifi and has an ip assigned, how could this be NOT regular wifi traffic. It is one of those smart thermostats. Now, remember, I am not knowledgeable at these things, so I could be mistaken.

(19 Jul '15, 16:56) Oleg C

Well, as per my comment, there are smart thermostats that don't use Wi-Fi, but if you know that it's using IP-over-Wi-Fi, then it's like capturing traffic for any other device on whatever Wi-Fi network it's on.

If the program talking to the thermostat is running on the program running Wireshark, you may be able to capture traffic in non-promiscuous, non-monitor mode on your Wi-Fi adapter.

If the program is not running on the program running Wireshark, you'll need to use monitor mode, and the way you do that is platform-dependent and may be complicated, and if your network is "protected" (using WEP or WPA/WPA2), you'll have to decrypt the traffic, and that's complicated, especially if you're using WPA/WPA2.

(19 Jul '15, 17:08) Guy Harris ♦♦

Hi, Grahamb.

My thermostat is Honeywell RTH6580WF. What do you mean "running on the program running Wireshark" and how do I find out. My wi fi security is WPA2.

Sorry for being clueless, but I guess at some poing in time you were clueless too and someone took time to educate you :)

(30 Jul '15, 17:59) Oleg C

Hi, Grahamb.

My thermostat is Honeywell RTH6580WF. What do you mean "running on the program running Wireshark"

"Grahamb" != "Guy Harris".

And what I meant was "running on the machine running Wireshark", i.e. if the program talking to the thermostat is running on the same machine as the one on which you're running Wireshark, it's relatively easy to capture the traffic, but if it's not, it's harder.

(30 Jul '15, 23:30) Guy Harris ♦♦

Shoot.... There is no windows application for this. The thermostat is controlled by 2 ways: through the website interface or through the android app. by the way would that be an easier task to intercept wifi traffic from android device?

(31 Jul '15, 11:22) Oleg C
showing 5 of 6 show 1 more comments

0

As Guy Harris explained, capturing the WiFi packets from the Nest thermostat is only part of the solution.

If your WiFi network is using WPA2 (which I hope it is!), then you will need to decrypt the WiFi traffic. This requires capturing the EAP exchange at the beginning of the WiFi connection between the Nest and your WiFi network. This will require you to go to the WiFi settings in the Nest, delete the WiFi profile that has already been established (assuming that one is established), start the WiFi capturing and then reconnect the Nest to the WiFi network. This is not a big deal.

However, all traffic (yes, even simple ON/OFF commands) are sent to the Nest server over HTTPS. This means that all Internet traffic is encrypted using TLS/SSL. But there is a way around this also. You will need to set-up a proxy server and capture the HTTPS - basically emulating a man-in-the-middle attack.

Still interested? ;)

answered 20 Jul '15, 17:52

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

Yes, I am interested. Please, give me simple instructions on what to do. I do admire you knowledge, thanks a lot for your help.

(30 Jul '15, 18:03) Oleg C

OK. Let's start by first capturing WiFi packets. It doesn't matter what WiFi packets, as long as we can capture something at the beginning. Below is a Wiki page from Wireshark. You will probably not understand most of it, but use it in the future for reference:

https://wiki.wireshark.org/CaptureSetup/WLAN

With all that said, a few questions: 1. Do you have a computer that has a WiFi adapter (dekstop or PC) that is in the vicinity of the thermostat and WiFi router? 2. What is the OS of the computer you plan to capture WiFi traffic?

(30 Jul '15, 18:39) Amato_C

My setup is as follows. Lan cable from Verizon FIOS comes into my MAIN router, I have lan network connected to that router, which includes several computers. All of them have wifi adapters. Then secondary/wifi router is connected to my main via another lan cable. The wireless router is where all the wifi traffic goes through.

I turned on the wireshark and was able to capture the traffic on my lan port.

I run windows 7.

(31 Jul '15, 11:26) Oleg C

I posted a diagram of my network in original post above

(31 Jul '15, 11:29) Oleg C

0

traffic capture screenshot

answered 31 Jul '15, 11:37

Oleg%20C's gravatar image

Oleg C
1112
accept rate: 0%

so, I just tried connecting to the thermostat in my browser and filtered the traffic by ip

(31 Jul '15, 11:38) Oleg C

Screenshots are not helpful. It is best to post your capture on cloudshark or any shared network drive such as Google Drive. But before taking and posting the capture do the following:

  1. Close all the Internet browsers on your machine you plan to use for the capture.

  2. Start Wireshark on the Ethernet interface

  3. Open the web browser and navigate to the desired URL

  4. Enter a command.

Then post your capture.

(02 Aug '15, 17:19) Amato_C