This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

Is there away to find the router model, firmware and the release number using wireshark? Have a packet I am playing around with and a few questions I a friend sent me and am trying to learn the correct ways to use wireshark to figure them out.

asked 18 Jul '17, 10:05

pyrotaz's gravatar image

pyrotaz
6223
accept rate: 0%

Here is the pcap file I need help with attempting to figure out the following: The IP address of the router? The model of the router if possible? The firmware of the router? The release number of the router is using? And last the ip address of the user who logged into the router admin panel?

pcap file

(18 Jul '17, 14:38) pyrotaz

Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.

(18 Jul '17, 14:45) cmaynard ♦♦

With just a few exceptions, a single packet is of a little use here. Some tools do detect equipment properties by stimulating it with connection attempts using various protocols and comparing the reaction to a database of known ones, but a single packet sent by a given device tells you almost nothing expect if the model etc. would be intentionally written there.

An LLDP frame is an example of such one, it tells you a lot about its sender because it is its very purpose, but it can be only captured on a neighboring equipment. Similar vendor-specific protocols (e.g. CDP) exist. Any packet from a given device captured in the LAN has that device's MAC address as a source but a MAC address can only tell you the vendor (also not always), rarely the exact model and never the firmware release (because MAC address normally doesn't change depending on the firmware release).

Some application protocols (like e.g. SIP) also may include model and firmware information, but it is not a rule.

permanent link

answered 18 Jul '17, 10:43

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 18 Jul '17, 10:44

If the router is SNMP-enabled, it ought to be possible to explicitly query the router for this type of information.

(18 Jul '17, 11:51) cmaynard ♦♦

Well, you have changed the scope of the question seriously - this is not a single packet, this is a capture of a good deal of wireless traffic.

The file contains the WPA negotiation of two Apple devices so if you know the passphrase to the WiFi network, you should be able to make Wireshark decrypt the WPA communication for you, there is a Wireshark manual page covering that topic and a number of Questions on this site, dealing with some issues people ran into. Once you succeed here, there should be a plaintext http communication which should contain the information about router firmware version etc., and the IP addresses will become visible.

There is another nice function of Wireshark which allows you to save the html pages transmitted by packets captured, so you may even see the graphical rendering of them if you open the saved files in a browser.

I suppose you do have the passphrase, otherwise the quest would have no solution. Rumour has it that TKIP is a weak encryption but Wireshark doesn't contain tools for decrypting TKIP without knowing the passphrase.

permanent link

answered 18 Jul '17, 15:01

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Note that if the router is a home Wi-Fi router, it might not support the LLDP or CDP protocols; I think those are mainly used for "enterprise" equipment, to keep track of the equipment in a complex network. Therefore, there might not be any packets carrying detailed information about the router.

To determine that, you'd have to decrypt the traffic, using the password, as sindy indicated. If there isn't LLDP or CDP traffic, perhaps there will be other traffic giving that information.

(18 Jul '17, 18:49) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×58

question asked: 18 Jul '17, 10:05

question was seen: 2,502 times

last updated: 18 Jul '17, 18:49

p​o​w​e​r​e​d by O​S​Q​A