0

I want to monitor the HTTP traffic of all clients connected via wifi to my wireless router. I want to capture the traffic with my Notebook which is also wirelessly connected to the router.

Hardware & Software setup:

Capturing with: Intel 7260 Wireless, Ubuntu 14, Wireshark & Aircrack-ng

Client to monitor: Android Smartphone

Router: Wireless Router 2.4GHz 802.11n, fixed wifi channel

//

What I did til now (without any success):

sudo airmon-ng start wlan0

// mon0 is started successfully

gksu wireshark

// warns me that I should not run it in root, but I want to see that this works first, I'll take care of security later

In Edit-> Preferences -> Protocols -> IEEE802.11:

Reassemble fragmented 802.11 datagrams: true

Ignore vendor-specific HT elements: false

Call subdissector for retransmitted 802.11 frames: true

Assume packets have FCS: false

Ignore the Protection bit: Yes with IV

Enable Decryption: true

Decryption Keys: wpa-pwd, mywlanpassword:myrouterssid

In the capture options:

Capture Interface: mon0

promiscuous mode: true

snaplen: default

buffer: 2mib

monitor mode: disabled

// I also tried with true but it doesn't seem to make a difference as due to usage of airmon-ng I suppose that monitoring is already enabled

Display options: all true

Name resolution: all false

After starting the capture I disable WIFI on my Smartphone and reenable it. I can see that some MDNS packets are captured and a one time IGMPv2. But when I browse on the phone (normal http sites, no network compression activated) or use any apps that would connect with online service, I don't see any HTTP or TCP traffic for the Smartphone. If I start the browser on my notebook I see all browser traffic (HTTP requests, responses, files etc).

Am I missing something?

Ohnana
  • 4,737
  • 2
  • 23
  • 39
nosharky
  • 1
  • 1
  • 1
  • 2

2 Answers2

3

You said you wanted to monitor the HTTP traffic. Not all network traffic (e.g., DNS, SSH, etc.). You didn't say whether it was passive or active monitoring. You haven't stated whether the systems being monitored are under your control or not. (I.e., can you make a configuration change on them?). If you only want all the HTTP/HTTPS traffic, and you have the ability to configure the devices a bit, then use a proxy. Set up Burp or WebScarab or Charles proxy on your laptop. Make sure it is listening on your regular network IP address (not just localhost, which is the default). Then, you need to get all the various devices to use your laptop as their HTTP proxy. Caveat: if your laptop is not there or if the proxy program is not running, the devices will not be able to use any HTTP/HTTPS services.

Now, to get devices routing their HTTP through your proxy, you have 2 choices: manually configure them or try to get your network to give out your proxy as information with the DHCP leases.

To manually configure a client, go into its settings and look for the proxy setting. Enter the IP address of your laptop and the port number that it is listening on. (e.g., 192.168.1.10:8080). All HTTP traffic from that device (if you do it at the OS level) or from that browser (if you only configure the web browser) will now route through your laptop.

Depending on how handy you are with your DHCP server, you can use information like this: https://blog.x-way.org/Networking/2012/12/30/Automatic-Proxy-Configuration-via-DHCP.html to cause networking clients to automatically receive the information telling them to use your proxy whenever they connect to the network.

This will give you full ability to not only monitor but to even tamper with the data passing out of whatever device uses your proxy. Remember that TLS connections will start issuing warnings (because your laptop is not truly the end system, and the certificate will be bogus). Some mobile apps (e.g., banking apps) may refuse to run because they can detect the man-in-the-middle.

If you're only interested in HTTP/HTTPS traffic, and you can configure the devices, then this is a pretty good way to do it.

Paco Hope
  • 401
  • 2
  • 2
0

You need to 100% make sure monitor mode is enabled, since otherwise you will only see your own traffic:

If you're trying to capture network traffic that's not being sent to or from the machine running Wireshark or TShark, i.e. traffic between two or more other machines on an Ethernet segment, or are interested in 802.11 management or control packets, or are interested in radio-layer information about packets, you will probably have to capture in "monitor mode"

https://wiki.wireshark.org/CaptureSetup/WLAN

Also just check the airmon status with airmon-ng and airmon-ng check to make sure it's on and no conflicting processes are up. If some processes interfere, use airmon-ng check kill and you should be able to go monitor mode.

AdHominem
  • 3,006
  • 1
  • 16
  • 26
  • I believe the `sudo airmon-ng start wlan0` command OP ran should enable monitor mode. – tlng05 Jan 30 '16 at 18:01
  • That should be the case, however you can never be sure depending on which processes run in the background which can interfere. Also if you set it to false in Wireshark this should definitely disable monitor mode. – AdHominem Jan 30 '16 at 18:05