4

in my home network my own PC is connected with a wire to the router. I want to do some analysis on the packets so I got an old laptop and tried to sniff my PC packets with the laptop (that is connected on WiFi).

Unfortunately I couldn't see my PC packets on the laptop with wireshark (even after enabling promiscuous mode)

I was wondering why?

Cars Data
  • 41
  • 2
  • 3
    You want to sniff the packets on the wire using wifi? Those are 2 different networks. The packets don't travel to the other network unless there is specific reason to. – schroeder Jun 21 '17 at 13:41
  • Why not run Wireshark on your wired PC? – schroeder Jun 21 '17 at 13:42
  • That's what I want to do. currently I also thinking about creating a basic client-server. The client will sit on my PC and will send all the packets to the server and there they will be analyzed. – Cars Data Jun 21 '17 at 13:43
  • For my own reasons I dont want the analyzing process to be running on my own PC. – Cars Data Jun 21 '17 at 13:43
  • 2
    if the server is on wifi and the client is on the wired network, then there is reason for packets to go to the other network – schroeder Jun 21 '17 at 13:44
  • if you make mirror port of your network then your problem should be resolved, chk my answer – Saket Mittal Jun 25 '17 at 14:21

4 Answers4

2

With the infrastructure you're going to have sitting around your house, and your lack of advanced networking knowledge, you're not going to be able to sniff packets on your desktop using a laptop.

While your desktop is connected to your home router, traffic between your desktop and router will not be replicated over other router ports or over wifi. Traffic from your desktop gets routed exactly to where it needs to go.

While your desktop is connected to a home switch, the same logic applies-- traffic between your desktop and switch will not be replicated over other ports either (unless you ARP flood it and your switch is susceptible to this attack).

What you're trying to do would have been possible 20 years ago if you connected a consumer hub between your desktop and router, since traffic on those got blasted to every port, but hubs don't support modern network speeds so they've fallen by the wayside. The modern replacement is a network tap but you can't just buy one of those at your local Best Buy ($$$)

Given your environment you'd be best off generating pcap files on the source box and shuttling those elsewhere for analysis. Use daemonlogger instead of Wireshark for this sort of task; Wireshark is way too bloated and doesn't handle file rotation.

Ivan
  • 6,288
  • 3
  • 18
  • 22
1

Your problem is with the separate networks and how your router is probably segmenting the networks. Even if the IP addresses used on the wired and wifi segments are within the same range, the "physical" networks (yes, the wifi is a physical network layer in the context of the OSI model) are separate and your router is probably only bridging traffic (not broadcasting all traffic in the segment).

What that means -- if the traffic is going from the workstation to the router, or to the Internet, or to anyplace NOT on the wifi network, then the router will not share that traffic on the wifi segment -- so your laptop can't see it.

0xSheepdog
  • 765
  • 5
  • 13
  • Network gurus, please correct me if my terminology is off a bit. I'm a long time "systems" person who has learned a lot of networking by necessity and doing, but I don't always have the right vernacular. – 0xSheepdog Jun 21 '17 at 14:40
0

If you are using a virtual machine - it could be to do with your network adaptor. Try switching between NAT and using a bridged network/physical replication.

LD_Sec
  • 11
  • 2
0

Try to implement mirroring(SPAN Port) concept

In this way you can capture all of the info from your wifi router from how ever many users are using it at that time.

How to configure Port Mirror on TP-Link routers?

Saket Mittal
  • 151
  • 3