Hi, i am a student and completely new to wire shark, i need some assistance in a project. I want to know that how can i use wire shark in order to detect devices that are connected to my router and that are trying to connect my router.(frankly i actually don't know if we can do it using wire shark or not, but a software "wireless network watcher" can easily detect connected devices so i thought it will also be possible on wire shark). What i already tried is npcap 0.10, but after installing it when i run wire shark, on initializing it kept on asking for admin permission, i had to force stop it, and since then wire shark isn't even showing available connections. If i have to use npcap then kindly tell me how to resolve my problem in 2nd part first. *if i don't need to use npcap then no need to discuss second problem. I have to submit my proposal within next 2 days so kindly help me fast. asked 07 Nov '16, 09:35 Abdullah |
2 Answers:
npcap is still considered experimental for usage with Wireshark, the regular WinPcap as installed by the Wireshark installer still works well on all Windows versions. Whether either of those capture libraries will help solve your issue is another matter though. To see other wireless traffic from other devices to your router (really an AP) requires the wireless card in your PC to be put into "Monitor mode" and historically this has been difficult on Windows due to driver issues, although npcap "might" make this a bit better. You'll probably have more success running a version of Linux though, e.g Kali linux. See the wiki page on Wireless Capture for more info. answered 07 Nov '16, 10:03 grahamb ♦ I have attched the screen shot of device manager that shows i have network monitor driver installed. The issue is how to use it. https://wiki.wireshark.org/CaptureSetup/WLAN i already consulted this link before posting here but couldn't get several thing... can i get steps how to: 1. properly install npcap 2. how to use monitor mode because neither on youtube nor on discusssion forum i could get any satisfactory answer. (07 Nov '16, 17:50) Abdullah can i expect some help? (08 Nov '16, 05:51) Abdullah These seem to be npcap issues, so the best place for support for that is ... npcap. According to the npcap Github page the place for such support is the mailing list [email protected] (08 Nov '16, 06:06) grahamb ♦ NPcap development is a one man (@Yang Luo) show, and it is very dynamic. So wireless monitoring mode was supported for a while, then not, and now it seems to be supported again. However, your success heavily depends on what your wireless card's driver can do. In the previous era where NPcap did support monitoring on wireless, you had to use an associated command line utility called WlanHelper to switch the wireless NIC from STA mode to monitoring mode so that you could monitor using NPcap, and I don't know about any advance here (i.e. still no communication channel between Wireshark and NPcap which would make the Wlan Helper obsolete). In my case (Intel wireless chipset), I was never able to decrypt a WPA encrypted packet by Wireshark, with no clear reason ever identified. @Yang Luo says he blindly copies the 802.11 frames received from the driver, Wireshark doesn't claim any issue with the frame because the Intel's driver doesn't provide the FCS... so you have to try your luck, install Npcap with wireless monitoring support, switch your WLAN NIC to monitoring mode (which will deassociate it from the network, so you can either be connected or monitor, not both - this does not happen on Mac). (08 Nov '16, 06:29) sindy |
Hi @Abdullah, thanks for using Npcap.
Do not install Npcap with "Restrict Npcap driver's access to Administrators only" option checked. This option will prompt UAC window every time Wireshark invokes Npcap DLLs.
If you mean "Network Monitor 3" from Microsoft, that's unnecessary. All you need is the latest Wireshark and Npcap. And about the monitor mode usage, it's very simple. Just use the Wireshark GUI, don't use WlanHelper.exe. In Wireshark GUI (QT version), go to "Capture options", click the checkbox in "Monitor Mode" column of your wireless adapter, then click "Start". You will be capturing raw 802.11 traffic in monitor mode now. Quitting the capture will turn the adapter back to managed mode automatically. If your "Monitor Mode" checkbox is unselectable, it somehow means that your adapter doesn't support monitor mode. To double-check it, you can run "WlanHelper.exe <adapter_name> modes" to get all supported operation modes by your adapter. If "monitor" doesn't show up, then your adapter doesn't support it for sure. The adapter name used in WlanHelper.exe commands is the same name in your "Network Connections" window. answered 08 Nov '16, 08:28 Yang Luo edited 08 Nov '16, 08:31 |
Is your intention to run the detection software at the router itself or to monitor the traffic "in the air" by another equipment next to the router? If the latter and if the monitoring machine should be a Windows one, you have to use npcap and, on top of it, a WLAN adaptor which properlys support promiscuous and monitoring mode at the same time and capture the traffic properly, which is a requirement not every WLAN adaptor & driver for Windows can fulfil. So think twice before submitting the proposal.