Hi I'm trying to see if I could capture only the packets to the router admin page when accessed from my phone. I believe I'd need to capture in monitor mode, but then the source and destination are all MAC addresses and it's not clear where the destination IP can be found. Is there a way to capture only the traffic to/from the router web server? Thanks asked 04 Aug '15, 11:30  mun |
One Answer:
Sadly, if you're capturing in monitor mode on a protected network (WEP or WPA/WPA2), the packets you receive are mostly encrypted, and don't get decrypted until Wireshark processes them, which is too late to apply a capture filter. If the router is running some form of open-source firmware, you might be able to do the capture on the router, which wouldn't need to be done in monitor mode, and which would give you packets decrypted by the router hardware or firmware, probably before any capture filter is applied. If your phone is running iOS, there are some options that might let you capture the traffic. The remote virtual interface might let you filter on the IP address. If your phone is running Android, you might be able to run tcpdump on it and capture the traffic; there might be other options as well. answered 04 Aug '15, 14:11  Guy Harris ♦♦ |
I see. No, the router isn't running a custom firmware. Suppose not running tcpdump on my phone. Is the best approach to just capture all packets and then find the EAPOL handshake between my phone and the router using my phone's MAC address? With that, find the right packets? Can all this be done within Wireshark by using the MAC address capture filter?
If you filter using the MAC address of your phone, that should work. Try "wlan host XX:XX:XX:XX:XX:XX", and then make sure Wireshark can decrypt the traffic and then use a display filter.