This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireless traffic to/from another device is not getting captured

0

Hi,

I'm trying to use Wireshark on a Win8 laptop to capture the wifi traffic of an MSP430/CC3100 iot device on my network,

The IP/MAC of the device, as reported via the serial port, matches the IP assigned to that MAC in the router's DHCP table.

However, I while I see a bunch of Wireshark traffic, I don't see ANY traffic to/from that IP, despite the iot device working and application communicating to the net fine. Since there's lots of other IP traffic, I thought maybe I'm just missing it, so tried filtering to only that IP but it also shows no traffic.

The laptop and the iot device, both connect to the internet via the same wireless router, so not sure why it wouldn't see that traffic?

http://i.imgur.com/eFrvn89.jpg

asked 13 Dec '15, 20:32

benn%20n's gravatar image

benn n
6223
accept rate: 0%

edited 16 Dec '15, 03:58

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

1

It is a common misconception that promiscuous mode on a wireless interface is enough to capture traffic between any two pieces of equipment the WLAN to which the capturing device is connected. Unfortunately, this is not the case, and you would have to use monitoring mode which is not supported on Windows (because WinPcap doesn't support it, see details here).

So if you need to capture the network communication of Your Device, your options are to use another OS on your laptop for the purpose, or use a dedicated device to capture, or run tcpdump on the WiFi router through which Your Device talks to the 'net. A WiFi router which can be flashed with an open software like e.g. OpenWrt may be easier to obtain than an AirPcap dedicated device and still sufficient for your purpose.

answered 14 Dec '15, 01:08

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Thanks for clarifying, I was definately misconceived! So I've got an old laptop (wifi Ralink RT3290) that I could repurpose with a live (ubuntu?) linux distro.. but is there a usb-wifi adapter you'd recommend that should work out of the box for this application? Something based on the Realtek RTL8188cus?

(14 Dec '15, 09:21) benn n

If you actually don't need the monitor mode, i.e. if what you really need is just to capture the communication of Your Device, it should be enough to make the old laptop an access point for Your Device (using a different SSID and channel from the main WiFi, and setting the Ethernet port as uplink to the 'net), so you wouldn't have to buy another WiFi in hope it will support monitor mode better than the onboard one.

If the WiFi is your only connection to the 'net or if you strongly prefer to run Wireshark on the Windows laptop, you may provide the cable connection for the Ubuntu laptop by setting up "internet connection sharing" on the Win8 laptop - with the WiFi as the "shared connection" and the Ethernet as the interface through which it is shared. This effectively means that Windows set up 192.168.138.1/24 on the Ethernet and run as DHCP server, and apply NAT on the traffic coming from the Ethernet and forwarded out through WiFi. You would then capture on the Win 8's Ethernet port, saving yourself the burden of decrypting wireless communication.

If you choose this way, you may most likely set up a bridge (instead of routing) between Ethernet and Wifi on the Ubuntu laptop.

(14 Dec '15, 11:50) sindy

...an afterthought, if you use the old laptop the way I've suggested, you may even keep Windows on it.

(15 Dec '15, 01:48) sindy

Thanks, I hadn't thought of that but using the Win8 machine as a proxy to the iot device seems like a better way to get around my wireshark/network issue. Haven't tried either yet, but Connectify's Hotspot or Codeplex's Virtual-Router/Plus might have this functionality built-in.. i.e. win8 software that creates a wifi hotspot, and bridges it to another wifi network.

(15 Dec '15, 11:46) benn n

Might be, just bear in mind the following:

  • if the software really "bridges" (i.e. works as a WDS repeater on a single SSID), the transit of the WiFi traffic may happen completely "inside the driver", so the transit traffic may again be unavailable on the Win8's network interface for capture,

  • not every WiFi card supports mixed mode (client for one SSID and AP for another),

  • if your one does, so you can run more than one SSID on it, thus creating more than one network interface at OS level (one per SSID) and bridging or routing between them as between any other Ethernet-like network interfaces, you still have to use the same frequency channel for all of them, which implies that they share the common bandwidth. This may be a problem if the "donor" WiFi is already close to congestion.

So a piece of good'ol' cable between two machines, where one would be a clean client on one SSID & channel and the other one a clean AP on another SSID & channel, is a better option in my opinion.

(15 Dec '15, 12:24) sindy

Haven't had much luck getting it to work.. I've got the the iot connected to the laptop's wifi nic, and the laptop connected via wire to the router. I've tried Connectify Hotspot, Virtual Router/Plus, mhotspot, and mypublicwifi, yet in all cases, the iot is connecting to the internet, meaning the hotspot works, yet Wireshark doesn't see that wifi traffic. I'm guessing that's because the briding is done in the software/driver like you warned. How would you recommend to create a non-software driver based wifi proxy?

(18 Dec '15, 22:11) benn n

That sounds strange to me. My remark about bridging inside the driver was related and only relevant to a case where you would bridge between two WLANs on a single WiFi interface. When we talk about two distinct physical interfaces (one WiFi and one wired Ethernet, or even two distinct WiFi cards), the bridging or routing is almost certainly done by the operating system, so Wireshark should be able to access the packets.

I admit that I haven't checked whether it was possible to use AP mode of a WiFi card in plain Win7 before answering (apparently it is not, I remembered from WinXP that it could be done and have never needed it since starting to use Win7), but it seems there is a bunch of 3pty applications substituting that missing Win7 functionality. But I don't think these would control the wired interface directly, bypassing the driver.

So although there may be some peculiarities in capturing at the WiFi interface, capturing on the wired interface should be possible and enough for the purpose. However, it depends on whether the 3pty software activates bridging or routing between the WiFi and the wired Ethernet interface. Bridging would mean that you would be able to use the iot's MAC and/or IP address as capture filter at the wired Ethernet; routing would most likely come along with NAT so neither the MAC nor the IP of the iot would be visible there, as they would be translated to the wired Ethernet interface's own ones, and you would have to use different criteria (remote IPs or ports if you know them) to tell the iot's traffic from the laptop's own one.

Another speculation - couldn't it simply be that something went wrong and the iot continued to use the SSID of the original router, instead of the one of the laptop?

(19 Dec '15, 05:55) sindy
showing 5 of 7 show 2 more comments