This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am able to monitor all of my own traffic, but I cannot monitor other users' DNS queries and unicast packets. I can only see multicast and ICMP traffic of other users. I have also tried to switch promiscuous mode off, but to no avail.

This question is marked "community wiki".

asked 07 Mar '12, 13:38

Mian82's gravatar image

Mian82
-1112
accept rate: 0%

edited 08 Mar '12, 08:57

multipleinterfaces's gravatar image

multipleinte...
1.3k152340

Just for knowing more information, Are you creating a monitor interface? What card are you using and what driver to interface with it? What procedure are you using to create the monitor interface?

(07 Mar '12, 13:54) srini_wisc

I donot know how to create monitor interface. I am using wireless interface card. I checked with Promiscuous mode 'on' and 'off'. I cannot monitor the unicast or DNS request of other users on same wireless 802.11 network.

(08 Mar '12, 06:51) Mian82

Two possibilities come to mind. You are connected via a wire a switch and thus will only see broadcast traffic for other hosts. Have a look at the general Capture Setup wiki page, and edit your question to describe your setup in more detail.

The other possibility is that you are trying to capture the wireless traffic and your wireless card cannot be set to "promiscuous" mode and will only "see" traffic actually destined for your machine. See the WLAN Capture page for more info.

permanent link

answered 07 Mar '12, 23:32

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 08 Mar '12, 03:13

Thanks for reply, I am master student in ICT university of Agder norway. I am trying to monitor traffic on WLAN (University Access point),through my PC wireless card for study purpose. I check with promiscuous mode on and off. but i can only monitor multicast, ICMP and query packets of other users on same Wireless network. I want to monitor all packets of others like i can do for my machine. Is it possible with WLAN or i have to connect to router or switch directly. Is it possible with router or switch.

Thanks

(08 Mar '12, 06:45) Mian82

What is your OS? WinPCap on Windows has lots of difficulties with setting WLAN cards into promiscuous mode. If you are using Windows you might try Network Monitor from Microsoft, as that might be able to run in promiscuous mode. Wireshark can open the captures made by NM.

(08 Mar '12, 07:58) grahamb ♦

is it not possible with wireshark, is network monitor is separate software.

(08 Mar '12, 14:24) Mian82

It is not possible to capture in monitor mode with any application that uses WinPcap; Wireshark is one such application. It is possible to capture with an AirPcap adapter, but that costs extra money.

Yes, Network Monitor is separate software, which can be downloaded for free. It can be used to monitor traffic on your network, and you can also save a capture from Network Monitor and read it in Wireshark.

(08 Mar '12, 16:02) Guy Harris ♦♦

Hi Guy Harris, Is it same for WLAN and wired LAN. Can i monitor all traffic(other users) if i connect to router directly.

(12 Mar '12, 11:53) Mian82

You need to reread the wiki page on capture setup. Just connecting to the router on a wired connection is unlikely to allow you to see all the traffic through the router as it is likely to be a switched connection. If you can make the router "mirror" or "span" traffic on to your switch port then you will see all traffic but that's unlikely to be possible on a simple Wireless router.

If you switch OS to Linux, there is much better support for WLAN promiscuous captures.

(12 Mar '12, 13:28) grahamb ♦

By "the wiki page on capture setup" grahamb probably means the page on Ethernet capture setup, which describes, in painful detail, why it's not as easy as you might think to capture all traffic on a wired LAN, and gives some solutions, which may require additional hardware (a hub or tap) or require that the hardware you're using have particular features (if the router supports "span ports"/"mirror ports"/whatever the router vendor calls them).

(12 Mar '12, 14:38) Guy Harris ♦♦

I did with Network Monitor but results are almost same i did with wireshark.

(13 Mar '12, 04:01) Mian82

That is expected. You really should read the capture setup article as mentioned by both Graham and Guy. You will need to either change where within your network topology you are taking your capture (by inserting a hub or tap, or physically moving your device, for example), or check to see if your switch supports mirroring/spanning and configure it properly if it does.

(13 Mar '12, 08:44) multipleinte...

What did you try with NetMon?

If you tried capturing Wi-Fi traffic, you should be able to see other users' unicast traffic, but you will disconnect your machine from the WLAN while you're doing that (Windows doesn't support remaining associated with a network in monitor mode), and if your WLAN uses WEP or WPA/WPA2 the traffic will be encrypted.

If you tried capturing Ethernet traffic, then you need to do what Graham and I mentioned - ANY sniffer, whether it's Wireshark or NetMon or whatever, will have the same problem.

(13 Mar '12, 10:35) Guy Harris ♦♦
showing 5 of 10 show 5 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×139
×76
×23

question asked: 07 Mar '12, 13:38

question was seen: 5,133 times

last updated: 13 Mar '12, 10:35

p​o​w​e​r​e​d by O​S​Q​A