This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello. My son is in 8th grade and would like to do a science fair project to see how well protected people are on public wifi (i.e. at Starbucks). Could he use Wireshark for this purpose? Any guidance you can give would be most appreciated. - Ken

asked 26 Sep '16, 08:26

kcardy82's gravatar image

kcardy82
6113
accept rate: 0%

Jasper,

Thanks for your quick and thoughtful reply. Please forgive my ignorance on these questions.

Are you saying Wireshark will explicitly show whether someone is using HTTP or HTTPS (or does that fact that you can read plain text tell you that it's HTTP)? If HTTP, does that mean they are easily hacked?

Similarly, are you saying that surfing via a VPN would be less safe than not? Will Wireshark show you whether they are on a VPN (or am I again just looking for plain text)?

He has to present lots of data for the project (generally speaking, more data = better grade). I'm thinking # of people using HTTP vs. HTTPS (or VPN vs not)? Any thoughts on this?

Thanks again, Ken

(26 Sep '16, 09:26) kcardy82

Hi Ken, sorry for the mess in the comments.

Yes, with Wireshark you can tell if someone is using HTTP or HTTPS, e.g. by filtering on TCP ports 80 (HTTP) or 443 (HTTPS). If HTTP, it means that anyone can read what is going on, and may potentially grab passwords, cookies, password hashes, user IDs etc. from it.

Surfing via VPN is more safe that without - all an eavesdropper can see is the encrypted channel, but not what's communicated inside of it. There are standard VPN protocols like IPSec (which Wireshark will list as protocol), and standard ports like UDP 1194 used by OpenVPN.

I think it would make sense to sample at least half a dozend of locations and count how many connections are encrypted, and what people are doing. # of HTTP connections vs. # of HTTPS connections and # of VPN connections, maybe as a breakdown per IP address (=devices/persons). For this the statistics functions of Wireshark are really helpful: endpoints (IP tab), conversations (IP tab) and protocol distribution.

Best would be to experiment with your own laptop first - capture with Wireshark while surfing to a HTTP site before surfing to an HTTPS site. Then try to spot which conversation in the capture is what. Keep in mind that web pages often contain multiple elements, which can lead to multiple connections.

(26 Sep '16, 09:55) Jasper ♦♦

Jasper - I REALLY appreciate your answers and assistance. My son is very interested in learning more about this, but I couldn't sleep last night worrying about how to guide him as far his science fair project is concerned. We'll download Wireshark and dig in. I apologize in advance for any more ignorant questions I might have moving forward. Thank you so much for your help! - Ken

(26 Sep '16, 10:30) kcardy82

No worries - if you or your son need more help, just ask around here and we'll try to help.

(26 Sep '16, 10:55) Jasper ♦♦

Hi Jasper,

My son and I have been experimenting (at home) with Wireshark using his Dell laptop and my Surface Pro 4. We can see the traffic we generate from our own PC's but can't seem to see each other's access to the web. Is this because we would need the AirPCAP special adapater that you mentioned in your first reply? If so, is it possible to simply monitor the volume of HTTP vs. HTTPS traffic without the adpater?

Ken

(02 Oct '16, 09:36) kcardy82

@kcardy82, have a look at Questions tagged "monitor" or "monitoring". Capturing in the air requires that your hardware and drivers support monitoring and promiscuous modes simultaneously, which is currently only "guaranteed" for Apple devices; on both Windows and Linux, it is a matter of luck but you may give it a try, using the guidelines in those other questions. On Windows, use of a version of NPcap which supports monitoring mode is just one of the prerequisites, the newest ones seem not to.

(02 Oct '16, 10:22) sindy

Jasper,

We have switched to a MacBook Pro and still don't seem to be picking up traffic other than the our own. Basically, we start the capture, go to a website (i.e. mcdonalds.com) on an iPhone (connected to the same WiFi) and stop the capture. Then, we apply a display filter that says 'tcp contains mcdonalds'; however there is nothing to see. The Wifi connection is password protected but both the MacBook Pro and the iPhone have access. I think we're doing something wrong - sorry, we're newbies at this. Could you please give us some direction?

Thanks very much, Ken

(04 Oct '16, 10:55) kcardy82

Well, if nobody actually opened that website unencrypted you're not going to see a match - and chances are, nobody did. Try filtering on "http.request" to see if there are any other GET/POST requests that aren't yours. Try specific websites that aren't encrypted if you can (meaning, starting with "http://" instead of "https://"). McDonalds seems to use HTTPS (surprise, but not a bad thing other than making things harder for you)

If not, check if you get anything when filtering for "tcp.port==80", and compare IP addresses with your own. You should be looking for TCP packets that are not involving your IP address.

(04 Oct '16, 11:06) Jasper ♦♦

A display filter tcp contains "mcdonalds" would only show something if it was possible for Wireshark to dissect the captured packets up to the tcp layer. For that, the WLAN either has to be open (no encryption used), or you have to provide Wireshark with enough information to decrypt it. As you wrote your home WLAN is password protected, read the wiki and threads regarding WLAN decryption. In short - in order to decrypt WPA successfully, you have to capture the key negotiation phase, the famous "4 EAPOL packets". So you must start capturing on the macbook in monitoring mode, switch WLAN off on the iPhone, switch it on again and then access the web site from the iPhone. Or you may switch off encryption of your WLAN for a while if your neighbours are not too quick. If, using one of the two methods above, you can see in the capture some packet which has a source IP address which is unicast and different from your PC and the access point while a display filter tcp is applied, that address should be the iPhone's one and you've won.

(04 Oct '16, 12:00) sindy

Jasper, et. al. -

We've finally been able to capture traffic from other devices - how cool! Thanks so much for all your help to this point.

We're learning the filter syntax to analyze the data. We know we can enter tcp.port==80 or tcp.port==443 to capture HTTP vs. HTTPS connections. Hoping you can help us with these questions: 1. What filter would allow us to excude our Apple MAC's traffic from the results using its IP address? 2. What filter would we enter to capture # of VPN connections? 3. How can we separate VPN connections from HTTP and HTTPS connections? 4. How do we break down the results per IP address (=devices/persons)? 5. We're struggling to understand how to utilize the Statistic tools to learn more about encrypted vs. non-encrypted connections. Can you give us some guidance, with the understanding that we are complete newbies at this and the end goal is to generate science fair data?

Sorry for the ignorant questions and thanks again for all of your help!

Ken

(11 Oct '16, 10:24) kcardy82

Jasper or sindy -

Would you kindly take a look at the questions in my previous comment? Any help you could offer would be GREATLY appreciated!

Ken

(12 Oct '16, 12:40) kcardy82

This site isn't exactly intended for individual turbo learning courses, but let's try.

Just be aware that looking as deep as needed for the purpose into the traffic captured on a public place without the knowledge of the clients is quite likely to be illegal regardless the purpose.

  1. What filter would allow us to excude our Apple MAC's traffic from the results using its IP address?

!(wlan.addr == ur:ma:ca:dd:re:ss)

  1. What filter would we enter to capture # of VPN connections?

You can filter individual packet by their properties, and there are several protocols used for VPN, so this is not a simple task. Some VPNs cannot be distinguished from https traffic because they basically are https traffic, some use GRE and some use UDP...

  1. How can we separate VPN connections from HTTP and HTTPS connections? If you can see HTTP headers in some of the packets of a TCP session, it is likely to be a HTTP connection. If there is no clear text in any of the packets, it is either an encrypted connection or simply a protocol which uses some other than text encoding. TCP connections to port 443 are most often HTTPS connections but it is not an unbreakable law as said above, and TCP connections to port 80 are most often HTTP connections.

  2. How do we break down the results per IP address (=devices/persons)?

You can use Statistic -> IPv4 Statistics -> All Addresses and find the IP addresses assigned by the AP (they will usually be private ones) among them. To get IP addresses of all users of the WLAN you have catch the EAPOL negotiation for all of them.

...to be continued

(12 Oct '16, 14:11) sindy
  1. We're struggling to understand how to utilize the Statistic tools to learn more about encrypted vs. non-encrypted connections. Can you give us some guidance, with the understanding that we are complete newbies at this and the end goal is to generate science fair data?

I would have a problem myself to find anything like that, as the statistics do not go this deep, due to reasons provided in 2 and 3.

I would say that those clients which access TCP ports 110 (POP3) or 143 (IMAP) and 25 (SMTP) using plaintext (i.e. no starttls seen in the capture for these ports) do not care much about privacy, while those who use starttls on these ports or use ssl versions of the above protocols (995, 993, 465 respectively) do care about it. If the person doesn't do their e-mails, this doesn't help, so look for access to plain HTTP (port 80). A client which, except maybe for some DNS requests, sends and receives packets mostly to and from a single address is likely to be using some kind of VPN, tunnelling all its traffic through the VPN.

(12 Oct '16, 14:12) sindy

sindy -

I understand this site isn't for "turbo learning" which is a fair description of what we're doing. I appreciate your help just the same. Thanks so much!

Ken

(13 Oct '16, 06:07) kcardy82
showing 5 of 14 show 9 more comments

Interesting project, but maybe the scope needs to be tweaked a bit. The situation with public wifi is that it is unencrypted in most cases, to allow people to easily connect to it without having to ask for a password first. Which means that you can consider almost all public wifi locations unprotected, as anyone with a wifi card can capture everything everybody else does (e.g. with Wireshark). With Windows this would require a special adapter (AirPCAP), but on Linux or MacOS you can use almost any adapter.

What may be interesting to ask instead is "how well do people of public wifi protect themselves?" - this would be something your son could investigate using Wireshark. He'll need to read up and check for people surfing using HTTPS (encrypted HTTP, needs to be provided by the web page server, and the user needs to use it instead of HTTP) or surfing via a VPN (user responsibility to use one). To do that he could check how many plain text conversations he can find compared to how much encrypted stuff is found.

permanent link

answered 26 Sep '16, 08:35

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Jasper im on a public network right now, could you help me out with researching whether it's safe? This is my email: [email protected]

(26 Sep '16, 08:45) micegreen

Well, either run Wireshark to check if you can read any words or commands of what you're doing in the packet decodes. If you're just surfing the web, check if you're using HTTPS, e.g. by checking the browser HTTPS symbol in front of the URL.

To be fair, only capturing your traffic and checking it thoroughly for clear text transmissions can give you a definitive result. You could filter for "tcp.port==80" to check if you're using HTTP instead of encrypted HTTPS.

(26 Sep '16, 08:48) Jasper ♦♦

I need to show you something but I cant do it here, can we start a chat on google hangout

(26 Sep '16, 08:49) micegreen

Do I look stupid? :)

(26 Sep '16, 08:51) Jasper ♦♦

I'm being honest here. I need help with a wireshark issue but I cant find help anywhere but here, I just need you to connect to my teamviewer to show you.

(26 Sep '16, 08:52) micegreen

Nope, not going to happen.

Take screenshots of whatever your problem is, ask clear and precise questions, provide PCAPs if you can, and people will help.

(26 Sep '16, 08:55) Jasper ♦♦

srsly dude i have been posting posting posting constantly trying to only get help with one small thing and that is help with a single pcap file. first everyone says it's a bad thing to ask it to others but i have been pounding poiunding the laptop just to get an answer could you please AND I SAY PLEASE help me witht his to relieve me of my burden please help me with this wireshark issue it's so frustrating man please

(26 Sep '16, 08:57) micegreen

What is the issue about?

(26 Sep '16, 08:58) Jasper ♦♦

I have to identify a hacker and these moderators say you're cheating on your homework guys so what I DONT want to be a computer engineer i want software engineering but nobody wants to HELP why cant someone help me????

(26 Sep '16, 08:58) micegreen

https://drive.google.com/open?id=0B94k1Bz5s_fRWTBIdDZRQzhXM2s

this is thje pcap file can you please identify the hackers identity ?

(26 Sep '16, 09:00) micegreen

So this questions was yours?

https://ask.wireshark.org/questions/55841/identifying-the-hacker

and you're pacbell86? If so, you didn't get suspended because of the question, but for spamming the other threads.

(26 Sep '16, 09:00) Jasper ♦♦

please add me [email protected] so we can talk this out in a better place man im also from europe by the way

(26 Sep '16, 09:01) micegreen

the question is very simple i just need your help and i will pay you money if i need to i only want to get rid of this issue

(26 Sep '16, 09:02) micegreen

If the question is very simple, what is it? And no, I'm not ever going to add you to anything.

Also, there is no guarantee that anyone answers questions here, it's a free service by volunteers. If nobody is interested in your question you'll not get an answer. So make it interesting.

And honestly, your original question was completely nondescript. We're not going to do your work for you. We're going to help with specific questions (Example: "I need to find suspicious HTTP requests, how can I filter on requests?"). Demanding solutions will get you one thing only: silence.

(26 Sep '16, 09:07) Jasper ♦♦

To be honest it's a beginner task so I thought that someone experienced here could quickly find the identity and what's going on and tell how he did it

(26 Sep '16, 09:21) micegreen
showing 5 of 15 show 10 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×134
×1
×1

question asked: 26 Sep '16, 08:26

question was seen: 1,218 times

last updated: 13 Oct '16, 06:07

p​o​w​e​r​e​d by O​S​Q​A