This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to capture traffic from behind a wireless router ?

0

I have setup a lab environment my wireshark pc is at 172.16.1.2 my wireless router is at 172.16.0.3 and it has a nat network of 192.168.0.0/24 i have a apache server at 172.16.1.4 i want to catch http traffic from a device using 192.168.0.2 to my apache server at 172.16.1.4 im using mitm to route the wireless routers traffic through my wireshark box to the gateway 172.16.1.1 but cant capture any http traffic between 192.168.0.2 and 172.16.1.4.How can i accomplish this ? Thanks for reading.

asked 01 Nov '15, 05:11

Dantezyates's gravatar image

Dantezyates
6112
accept rate: 0%

One Answer:

0

im using mitm to route the wireless routers traffic through my wireshark box to the gateway 172.16.1.1 but cant capture any http traffic

Apparently your capture setup is faulty. Please read the Ethernet Capture Wiki to figure out how to capture that traffic.

https://wiki.wireshark.org/CaptureSetup/Ethernet

Most certainly, the best way would be to use a cheap switch with port mirroring capabilities, or to capture on one of the involved systems (192.168.0.2 or 172.16.1.4). If neither of these is an option for you, you'll have to figure out what's wrong with your MITM setup.

Regards
Kurt

answered 02 Nov '15, 04:08

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 02 Nov '15, 04:08

im using ettercap with this command "ettercap -Tqi eth0 -M arp //172.16.1.1/ //172.16.1.3/" 1 is gateway and 3 is the wireless router that 192.168.0.2 is sitting behind

(02 Nov '15, 11:35) Dantezyates
1

This is the Wireshark Q&A site. As your prolem is related to ettercap, you'd better ask the question in an ettercap forum, or a pentesting forum like: https://forums.kali.org/

Just a brief hint: Maybe the wireless router and/or your gateway ignores your arp spoofing tricks (for whatever reason).

(02 Nov '15, 16:09) Kurt Knochner ♦

well i can see all the traffic routing through my wireshark machine just not the http login

(03 Nov '15, 01:02) Dantezyates
1

just not the http login

most certainly because the login is transmitted via https.

(03 Nov '15, 04:34) Kurt Knochner ♦

how can they ? the site is http only its only a virtual ubuntu box running apache2 .

(04 Nov '15, 12:47) Dantezyates

I concluded that only from your statement.

well i can see all the traffic routing through my wireshark machine just not the http login

If you can see ALL traffic (which includes HTTP in general), but not the 'HTTP login', I see the following possible reasons:

  • the password is transmitted via HTTPS. Whether that's possible depends on the configuration of the server. I can't tell you.
  • the password gets transmitted in cleartext, but you can't find it. There are many reasons. I can't tell you without a pcap file and some description what you did to find the login/password/whatever you are looking for.
  • the password gets transmitted in an encoded form (e.g. done by Javascript)

Without a pcap file and more details about the nature of the 'HTTP login' (is it a form based authentication, HTTP Basic authentication, etc.), it's impossible to tell you more that I did.

(05 Nov '15, 08:47) Kurt Knochner ♦
showing 5 of 6 show 1 more comments