12

Setup

  • PC running Wireshark, connected to the network wireless (if OS variation is an issue, use Wireshark on Linux).

  • Another device connected, wireless, to the same LAN.

  • Wireless network uses WPA2 encryption

Question

Using Wireshark on my PC, how do I capture ALL packets, sent and received, by the other device on the LAN?

Example

I want to use Wireshark, running on Debian, to capture all YouTube packets coming and going to and from an Android device on my same network.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Mars
  • 1,853
  • 3
  • 15
  • 22
  • 1
    You might want to clarify if the device doing the snooping is also wireless, or wired. If it's wireless, the currently top voted answer is right (with a few minor corrections) but if wired, you are in a pickle without more elaborate hardware tricks (assuming you can't snoop *from* the router) – Jeff Meden Apr 12 '16 at 18:52
  • Updated the question to reflect that. I tried the -currently- top voted answer when I posted this question, but it didn't work for me. I had to use other methods. I'd still like to know how to do this though. – Mars Apr 12 '16 at 18:58
  • See my updates (when they get posted), the premise does work but there were a few steps left out that are necessary. Also one other question nitpick, sorry. You are asking to capture all packets: this is trivial and I think you mean *decrypt* all packets, right? – Jeff Meden Apr 12 '16 at 19:11
  • It just clicked that you specifically asked about Youtube. Youtube is now (not sure when this happened) a https-always site. So, when you do defeat WPA, you will see a stream of nicely laid out, TLS-encrypted packets. – Jeff Meden Apr 12 '16 at 20:38

4 Answers4

10

If you are both using WiFi (with WPA based preshared key encryption), things are really dead simple (which wouldn't have been the case if you were on a wired network):

  • Launch Wireshark on your computer
  • Set WPA key in Wireshark's settings
  • Start the packet capture on your wireless interface (in Linux you should be putting your wireless device in Monitor mode to gather all packets)
  • Force the target device to reassociate with the AP (turn wifi off/on, turn AP off/on, etc)
  • Observe 4-way handshake with Wireshark (thanks to prev step)
  • Do whatever you want on your Android device to generate traffic
  • See your wireless traffic unencrypted in Wireshark
  • Enjoy!

With the WPA keys set in Wireshark, it will decrypt packets on-the-fly, allowing you to view your Android device's traffic.

Edited to include necessary step of decrypting WPA protected traffic, which is observing 4-way handshake

Jeff Meden
  • 3,966
  • 13
  • 16
mdeous
  • 626
  • 4
  • 8
  • I've just experimented with this for about an hour trying to get it to work, but hey, nothing as magical as this would've been should just work! Complaining aside, I have WPA2-PSK + AES encryption key set on my network, I tried using wpa-pwd setting with [WiFi key] and failed, tried wpa-psk [WiFi Key + SSID = Generated PSK] and yet still failed, tried various formatting options in inputting those aforementioned trials such as [key:SSID] and [wpa-psk:key:SSID] and failed. I read the documentation you provided and tons more on Google. So thank you for the heads up, never knew this exists – Mars Jul 21 '14 at 03:00
  • 2
    This won't work as easily as @MatToufoutu has described. It does for Wired LANs, but the picture is more complex in wireless. You don't typically have "Promiscuous Mode" on wireless LAN adapters. More typical is "Monitor Mode", but this is not available in all adaptors or is commonly disabled. You could try out specialist hardware such as AirPCAP http://wiki.wireshark.org/CaptureSetup/WLAN – robert Oct 17 '14 at 16:35
3

well, it wouldn't be the easiest (or best idea) to capture traffic directly from your computer or android device. when i want to do this type of things, i fire up ssh to my wireless router and do tcpdump -i br0 so that i could capture traffic from EVERY single device that's accessing the internet through my router. if you could ssh into your wifi router and have tcpdump in your router's busybox (or any other embedded linux) then you're ready to go. just do the command above.

H3lp3ingth3p33ps
  • 343
  • 1
  • 2
  • 12
  • So I understand it's NOT possible to capture the packets of a third-party device on my Network? I ask this because I've read the SSH and TCP dump technique somewhere, but it's way beyond my scope of knowledge as of yet! – Mars Jul 20 '14 at 19:02
  • yes it is possible, but you need to set a proxy on your localhost (computer) so that you could let other devices connect to it and you monitor the traffic. i used to do this with fiddler2 with my ipad, when i was into trying to hack clash of clans :I (this is another way, entirely different than my first answer) – H3lp3ingth3p33ps Jul 20 '14 at 19:04
  • Well I understand clearly how the localhost proxy would work, I'll need to learn how set it up and try it. – Mars Jul 20 '14 at 19:16
0

Let's assume you don't want to perform a MITM attack (man in the middle attack) what is slightly more difficult to setup, I would suggest a network based solution:

  1. Set up an access point
  2. Connect your access point to a hub (using a regular network cable)
  3. Connect your computer (where wireshark is supposed to be running) to a hub (using a regular network cable)
  4. Connect your hub to a router (again, using a regular network cable)
  5. Start sniffing with wireshark :)
  6. Connect your Android or any other mobile device to the access point (Wifi)
user575915
  • 21
  • 2
  • I only have a router, it's the Access Point as well as the Modem, though I'm not sure how that's different from a "hub". – Mars Jul 21 '14 at 03:19
  • Your router is also a switch , which means you can't see traffic for which you're not the destination, while with a hub, traffic is sent to every device connected to it, allowing to see all the traffic that goes through the hub – mdeous Aug 20 '14 at 12:17
0

I was actually playing around with this a few weeks ago, though using Burp instead of Wireshark. I routed traffic through my pentesting box by using a software defined router and redirecting with IPTables' REDIRECT target over an SSH tunnel. This is possibly overkill, but allows to redirect traffic wherever you want it. You could also do this from a router that runs linux.

Other options include setting up your computer as an access point and connecting your device to it, or using the technique described by @MatToufoutu, having Wireshark decrypt traffic, but then you might miss some traffic that is hidden by noise or out of range.

David
  • 15,814
  • 3
  • 48
  • 73
  • 1
    I believe that while doing his tests, OP's phone and computer should be next to eachother, so distance shouldn't be a problem ^^ (at least, I did this many times and never noticed any loss) – mdeous Jul 21 '14 at 01:26