-2

I am running Ubuntu Linux and have installed wireshark on it. I can see the incoming and outgoing traffic just fine. Now I want to see the traffic from other devices which are on my LAN. So, I did:

$ ifconfig wlan0 promisc

Now I pick up my phone which is on the same network (LAN) and go to stackoverflow.com. Now I come back to wireshark stop the capturing and then filter the traffic with http but there is nothing. What did I miss?

Anonymous
  • 101
  • 1
  • 1

2 Answers2

2

What you missed is that promiscuous mode only captures traffic that your promiscuous NIC sees. It doesn't have magical powers to go out onto the network and collect packets destined for other NICs. Modern networks use switches, which inspect the destination addresses of packets and only send it to the port it needs to go to, rather than broadcasting it to all ports (which is what traditional Ethernet, as embodied by shared-medium methods such as 10Base2, and emulated with twisted-pair "hubs", did).

Further, despite 802.11 series standards using a shared medium (radio waves) promiscuous mode (more properly called "monitor mode" in the wireless world) may or may not work depending on the wireless chipset and driver, because many devices are implemented in such a way that they don't allow sufficient control to actually cause the physical hardware to pass packets not intended for the station up to the OS. This also is dependent on the security mode of the network; WPA uses per-device session keys, so you can't see the traffic to other stations because it's encrypted by a key you don't know.

womble
  • 95,029
  • 29
  • 173
  • 228
  • Ok, what if I turn on the monitor mode? Will that let me see the incoming and outgoing traffic of all the devices on my home network? – Anonymous Aug 29 '15 at 07:04
0

I infer from "wlan0" that this is a Wi-Fi network. That means you need to capture in monitor mode. If this is a "protected" network, using WEP or WPA/WPA2 to encrypt traffic, you will also need to supply the password for the network to Wireshark and, for WPA/WPA2 networks (which is probably what most protected networks are these days), you will also need to capture the phone's initial "EAPOL handshake" when it joins the network, so you'd want to put your phone to sleep (turning it off should put it to sleep), start a capture, and then wake it up (turn it on) and access Stack Overflow.

See the Linux section of the "how to capture on an 802.11 network" page and the "how to decrypt 802.11 traffic" page on the Wireshark Wiki.