This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

protocol mdns - smartphone huawei p9lite

0

Hello to all, I'm a wireshark neophyte, I need your help. I use a wi-fi home network of which I am an administrator, my huawei p9 lite smartphone connects to the network but I can not see with wireshark the sites it browse, I just see that the protocol is MDNS. With the PC, however, I see correctly the visited sites. The router is a NETGEAR DGN2200v4, thank you for your help and sorry for the incorrect english. Have a nice day.

asked 05 Jun '17, 11:53

stevieraypis's gravatar image

stevieraypis
6223
accept rate: 0%

What happens if you start Wireshark capturing on the Wi-Fi network in monitor mode, turn the phone off, turn it back on, and then go to a Web site on the phone? Note that you'll have to enter the password for the network into Wireshark before you start capturing.

(06 Jun '17, 20:18) Guy Harris ♦♦

Hi Guy, Thank you for your kindness, you are the first to answer me. You have to be patient because my difficulties are both technical and linguistic, try to help me step by step :-) I've tried to start wireshark in monitor mode but in capture option I don't see a flag with "monitor mode" https://wiki.wireshark.org/CaptureSetup/WLAN#Turning_on_monitor_mode And now the biggest problem, I've tried to insert keys on 802.11 but it's very complicated, I've to insert keys and not real password, can you help me? I am administrator using windows 7 64 bit, the router is protected with wpa2-psk (aes) mode but of course I can change it to WPA-PSK [TKIP] + WPA2-PSK [AES] or WPA/WPA2 or no protect and no password. I've tried one time without protection and password but it's the same story with wireshark. what am I doing wrong? It's so difficult. Thank you again

(07 Jun '17, 10:31) stevieraypis

Your "answer" was actually a comment (this isn't a forum, it's a Q&A site, and unless something answers the original question, it's a comment, not an answer), but it somehow disappeared when I tried converting it to a comment.

(07 Jun '17, 10:36) Guy Harris ♦♦

I think I'm close to the solution, but I really need help of an expert...

(27 Jun '17, 12:34) stevieraypis

One Answer:

0

In the comment that disappeared, you said you're running on Windows; that means that monitor mode isn't supported unless you're using Npcap rather than WinPcap. (And, even with Npcap, the vendor's driver may not support monitor mode or may not support it well.)

If you're not capturing in monitor mode, you won't see any traffic other than traffic to or from the machine running Wireshark (I assume "the PC" in "With the PC, however, I see correctly the visited sites" is the machine running Wireshark and the machine going to the sites in question) and broadcast/multicast traffic (the "M" in "MDNS" is "multicast").

So you'll either need to install Npcap, get an AirPcap adapter, or switch to an OS that supports monitor mode better, such as Linux (or buy a Mac, as macOS supports monitor mode better as well :-)).

answered 07 Jun '17, 10:40

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Ok Guy, now I tell you what I've done: I've downloaded Npcap and unistalled winpcap. In the installation of npcap I've leaved the 2 box checked without checking the others 3. I restart the PC, I restart the huawei p9lite. I've run wireshark and in capture options I've found monitor mode and checked. Then start but now I don't see the huawei IP 192.168.0.3, just my pc that end with 5. I see the traffic of my pc and for huawei I just see huawei_3b:3b:04 destination broadcast protocol ARP and nothing else. So I've think something is missing, maybe we can do it but I should know what to do exactly. I've inserted no password in wireshark. Any idea? thank you Guy

ps:airpcap Costs a lot of money, I can not afford it

(07 Jun '17, 11:22) stevieraypis

I've inserted no password in wireshark.

If you have a password on your Wi-Fi network, you have to enter that into Wireshark in order for it to be able to decrypt the traffic. See the Wireshark Wiki page about decrypting Wi-Fi traffic for more information.

(07 Jun '17, 11:30) Guy Harris ♦♦

I've tried to disable the network password but I still don't see the huawei. :-(

(07 Jun '17, 11:43) stevieraypis

ok, I've a normal password, I can't understand how to find "wpa-psk The key is parsed as a raw pre-shared key"....

(07 Jun '17, 11:46) stevieraypis

I've see that if I check capture packet in monitor mode and click OK, then I see that monitor mode it's n/a and if I edit again capture options I cannot check caputer packet in monitor mode :-( Is this the reason? No possibility in windows?

(07 Jun '17, 11:49) stevieraypis

You should use wpa-pwd instead, giving the network's password and its SSID.

(07 Jun '17, 11:50) Guy Harris ♦♦

What version of Wireshark are you using?

(07 Jun '17, 11:58) Guy Harris ♦♦

hi guy, I'm using (v2.2.6-0-g32dac6a), but first I've to understand how to enable my Intel® Dual Band Wireless-AC 7260 on monitor mode under windows. I have no found solution, any idea? thank you again.

(08 Jun '17, 12:44) stevieraypis

To activate monitor mode under windows 7 maybe it is necessary to install Microsoft Network Monitor?

(09 Jun '17, 05:06) stevieraypis

To activate monitor mode under windows 7 maybe it is necessary to install Microsoft Network Monitor?

To determine whether the problem is with the adapter or driver, or with Npcap, it'd probably be necessary to install Network Monitor and try to capture in monitor mode with Network Monitor. If that doesn't work, it's probably because Intel's driver doesn't do monitor mode correctly, or at all, and you may have to go with a program such as CommView for WiFi, which has its own drivers for the adapters it supports.

(09 Jun '17, 10:27) Guy Harris ♦♦

HI, I've done all the possible attempts...

  1. I've updated the driver of my Intel(R) Dual Band Wireless-AC 7260
  2. I've downloaded microsoft network monitor 3.4 selected the network interface configuration, scanning option, checked switch to monitor mode and apply, I've seen that it works.
  3. If I try with wireshark to enable monitor mode no possibily.
  4. then I've downloaded and installed acrylic, I've read that it works with windows and wireshark but nothing to do, don't recognize my Intel(R) Dual Band Wireless-AC 7260 at start.
  5. As you suggested I downloaded Commview and wow... it worked!!! I mean, the software Loads a driver that works with my adapter, so I've started to check my huawei but it can not decrypt data because maybe it didn't work with all the wpa2-psk protections, I've of course write the password in the programm.
  6. I've tried then to remove all the password of my router (free connection) and now it works!!! But.... it seems that recognize data only if I choose site withs https on my huawei, and I know it's hard to find data in https site.

Anyway I have exported log file data from commview in .cap file that wireshark can open, I've run then wireshark and see all the lines, filter the TCP connection but nothing to do I can not read data in human readeble format, I've choosed in name resolutions properties the flag of "resolve network IP addresses" but no way to read the data. Most of tcp are of port 443 that I know it's https but there was also some port 80 but nothing to do. The question is why I see just TCP 443 data and some TCP 80 and why in wireshark I just see info in ASCII and not in human readeble format?

I need some angel that explain me what to do step by step again...:-(

(22 Jun '17, 11:22) stevieraypis

Hi,there's a problem, I don't see the answers of others users, for example grahamb, I see just the last questions I've sent two days ago...why?

(24 Jun '17, 12:42) stevieraypis

I see that in the topic of my questions someone ask me but here I see nothing, please an administrator can help me? So confused in this ask and questions... better a standard forum.

(29 Jun '17, 04:49) stevieraypis
showing 5 of 13 show 8 more comments