Packet Sniff over Wi-Fi
That's all way too hard if you're using Linux. Most wireless cards nowadays support monitor mode, which allows to use them to capture all packets, including 802.11 Management and Control frames, on a single channel.
If your wireless card supports this mode (chances that it does), then do the following (I assume that you are using a Debian-based distro:
$ sudo su
# aptitude install aircrack-ng
# airmon-ng start wlan0
# airodump-ng mon0
At this point, you should see a list of wireless networks and connected clients. Note the channel number on which your network/client is running. You'll need it to lock your NIC on a particular channel: now it switches all channels sequently to detect every network.
^C
# airodump-ng mon0 -c $channel
You don't really need any of airodump-ng output, it is just used to set channel. Also you can use iw
/iwconfig
to use it or just connect to the network (yes, you can simultaneously be connected to a network and use monitor mode), but this is easiest and error-prone way.
Now you can start Wireshark and point it to mon0
interface. You'll be able to see all packets travelling through your network. If you want to see only data packets, use this filter: wlan.fc.type_subtype == 0x20
.
As a note, I want to say that this is probably possible on Windows, but is harder and range of supported adapters is much narrower, as there are no standard API for monitor mode in Windows.
Related videos on Youtube
Nicholas Stuart
Updated on September 17, 2022Comments
-
Nicholas Stuart over 1 year
I've got a non-PC wireless client, and I'm wondering about some of its connections. I want to see the actual packets being exchanged from the net to my device over a Wi-Fi connection.
I have Wireshark running on a PC and am watching traffic go by on the network, but whenever the device loads information from the net, it doesn't show up on the sniffer. I have it set to promiscuous mode, but still nothing.
Does anyone know how to make something be seen by a packet sniffer?
-
HiFi over 13 yearsWireshark only shows you your traffic on your computer, not your network. Doing it network wide requires a special setting on the router which doesn't normally exist
-
Nicholas Stuart over 13 yearsOkay, so I can't mod my router to help show traffic on the network, what about setting linux up as a router. I'd enable wifi on the device, then setup a linux box as a DHCP server, set it up as a "gateway" and all IP_Forwarding, would this all that linux box to view the packets passing through?
-
Karl Bielefeldt over 13 yearsYes, that would work. You just need the router to be between the wireless interface and the Internet.
-
Spiff over 13 years@Lord.Quackstar grossly oversimplified. Sniffers like Wireshark can put your interface into promiscuous mode, so it sees all traffic on your hub, regardless of address. If you're on a switch, you won't see others' unicast traffic, but you'll still see their multicast/broadcast traffic. If you have a manageable switch (no router needed) you can enable port mirroring so another port's traffic gets copied to your sniffer's port so you can see it. 802.11 monitor mode sniffers even can see all traffic on an entire 802.11 channel, regardless of which wireless AP / network it is on.
-
Spiff over 13 yearsTo whoever voted to close: This not off-topic at all. This is a PC network sniffing / Wireshark question, nothing really Android-specific about it at all.
-
Nicholas Stuart over 13 years@Spiff and a Router would qualify as a "switch", so the unicast info isn't being seen by every host. So would putting the gateway as a linux machine with IP_FORWARD enabled work?
-
HiFi over 13 years@Spiff And please tell me how many consumer grade routers/switches let you setup a "sniffer port" or forced global rebroadcasting?
-
Spiff over 13 years@Lord.Quackstar, your question seems like a non-sequitur. I took issue with the first 23 words of your comment, not the last 4.
-
-
Nicholas Stuart over 13 yearsThanks for this recommendation, but my Wifi doesn't work with it.
-
whitequark over 13 years@Nicholas: doesn't work with what? Linux? Monitor mode? Can you post name or PCI/USB IDs of your NIC so I can check if it really supported?