This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Having issues capturing HTTP traffic on my network

0

I am using Kali Linux running Wireshark

I am trying to capture all the data that goes through my home network via any device connected to it. I have successfully put the interface into monitor mode, and running as root. On my interface wlan0 I can see a lot of traffic but most of it is the devices requesting an IP address or joining or removing from a group (I am assuming that's just the router giving specific permissions against the firewall).

What I am trying to do is see the websites these devices on my network are trying to access. I can see everything from the PC in monitor mode (wlan0) and what it tries to access but I can't see for example what sites my other laptop is accessing or my iphones on my network. I have even changed the mac address of wlan0 to match the mac address of the router. I can't figure out what I am doing wrong.

I have verified via iwconfig that the card is in monitor mode and not in managed mode

Thank you in advance, all help or advice is really appreciated

asked 15 Aug '16, 09:04

BitByte1981's gravatar image

BitByte1981
6113
accept rate: 0%

Monitor mode is not sufficient to capture ALL wlan traffic- you need promiscuous mode support, too. It sounds like you may have this problem as well:

https://ask.wireshark.org/questions/54790/capturing-data-in-monitor-mode

And a search here you will find plenty of others with similar issues.

Full capture capability also depends on having the correct modulation capability, so there are many things to review. So I propose that you:

  1. Describe the WiFi hardware you are using to capture packets and the Linux kernel in use. Maybe someone has run across that combination before and knows some limitations. Maybe not.
  2. Post a trace in an accessible location so everyone is clear on what the issue is.
  3. Describe the capability of the network around you: what are the other clients connected at? If your capturing adapter only supports 802.11bg, and your new fancy MacBook is 802.11ac, you will not be able to capture those packets. There are other limitations as well: spatial streams, encoding, etc.

joining or removing from a group

This is probably IGMP, for multicast support - likely LLMNR and maybe other protocols that could be in use.

have even changed the mac address of wlan0 to match the mac address of the router

I wouldn't do that! Let's walk before we run... when this is all sorted you can then play man-in-the-middle with a rogue AP using hostapd.

(15 Aug '16, 09:34) Bob Jones

Thanks Bob!

Wireshark has the box checked that says Promiscuous mode

  1. WiFi hardware is a Trendnet USB Adapter TEW-624UB (compliant with 802.11 n/g/b) Ralink chipset
  2. not sure how to post a trace
  3. The iphones are 802.11a/b/g/n/ac so I am not sure what they are connecting on
  4. Our fios quantum router supports 802.11 b/g/n/ac

Is it possible to force the iPhones to connect on n/g/b instead of ac? I am new to understanding the spectrums but they are connecting on the 2.4 ghz band and not the 5 ghz band.

I am using the latest Kali Linux Kernel

(15 Aug '16, 11:59) BitByte1981

The Wireshark check box seems to have no effect on promiscuous mode when an adapter is in monitor mode. I don't know if that is by design or defect, but the behavior is driven by the driver, at least from what I have seen.

There are at least three variants of the TEW-624UB, one of which is Ralink which is a 2x2:2. Assuming you have that one, as described, Kali had a regression for several months that disabled promiscuous mode on the RT series drivers. That has since been fixed - details can be found here by searching or on www.aircrack-ng.org. Since you have the latest kernel, this should not affect you.

Try www.cloudshark.org to post a trace.

Devices will usually connect at the highest possible speed, so if 802.11ac is available, it will likely be used. The router would likely support abgn ac - just bgn ac would be very unusual (but it's a big world out there, so you never know). Usually you can turn off advanced features - force the router to bg mode for now and try that - make sure the channel is known and you are sniffing on that channel. Once you get Wireshark to show the traffic from the other devices, start enabling the more advanced features like 802.11 bgn, etc., to be sure you can collect the data you are looking for. Don't forget about encryption.

The capture device has to be on the same channel as the traffic, and the various devices will use the channel selected by the AP. You can usually select the channel at the router, or if in auto mode, it might tell you what channel it is using.

(15 Aug '16, 17:14) Bob Jones