Sniff packets from router

So I have TP-Link router and I want to sniff all the packets going through the router. I'm using Wireshark right now but not able to get the packets which passes through my router.

So What I've tried so far :

1) If I create hotspot on my laptop and I connect other devices on my laptop's hotspot then I'm able to see packets going through my pc. But that's not all I need.

2) I bought a LAN cable, One end connected to my PC port and other end connected to the router's LAN port. And I chose LAN Traffic in wireshark, But still I'm not able to access the packets going through the router.

3) Can I force all websites to run on http rather than https on my own network ?

Is there any other way to do this ?

Thank You!

JohnMD

Posted 2015-12-10T19:44:20.247

Reputation: 25

you will need a tap device on the line between the Router and the ISP demarc in order to see ALL traffic coming into and out of the router. As for encryption, no, you cannot force a website that wants you to use HTTPS to use HTTP. The webserver has protocol handlers attached to specific ports, and an HTTP only server does all its business on a non-80 port. that means you would get gibberish, and failure. the best you can hope to do is to put a device inline to transparently swap the certificate in use, so you could decrypt the traffic. – Frank Thomas – 2015-12-10T21:00:24.290

Answers

Remember: these days everything around with more than one port has a switch. So you have a chance to redirect traffic to your computer only by DNS poisoning or ARP spoofing.

No, you can't force web-sites to use only HTTP. First of all, major sites this day don't even provide any service through HTTP except for redirecting to HTTPS. Second, HSTS header prevents browsers from accessing them via HTTP and that HTTPS-only flag is set on first access, so it is likely already set on every machine for Google, Facebook, Twitter etc.. Basically one way to sniff traffic of these sites is using solutions like mitmproxy.

I don't know if you want to go that far, but many times I had replaced factory firmware with OpenWRT on TP-Links (at this moment I am accessing Internet via such reflashed OpenWRT @ TL-WDR3600). There is tcpdump package, so the task is pretty straightforward - write a file with tcpdump -w, then fetch that file from the router via scp and analyze it with Wireshark on the PC.

After all, OpenWRT is so feature-rich, so even loss of warranty is not a concern for me. I also tried DD-WRT, and no, it is not as good as OpenWRT, but still both of them are way better than original firmware.

Nikita Kipriyanov

Posted 2015-12-10T19:44:20.247

Reputation: 505

Awesome explanation!! Thank You so much. I have one doubt that mitmproxy will work on the entire network or just in installed pc ? – JohnMD – 2015-12-11T04:27:16.693

If you succeed to set up router to redirect all HTTP(S) traffic to your mitmproxy, it will work for entire network. I didn't tried by myself, but looks like it should be possible even with OpenWRT. – Nikita Kipriyanov – 2015-12-11T05:31:20.993

Okay thanks! How will I able to read https traffic using mitmproxy. I mean if somebody post data on https ? – JohnMD – 2015-12-11T05:58:46.400

Having a proper setup of mitmproxy, yes. However, this will require you to create a special MitM CA and make it trusted on each computer in the network. This is covered in documentation, you only have to read and implement it carefully. – Nikita Kipriyanov – 2015-12-11T07:08:26.820

Thanks! Is it possible to sniff HTTPS connection with mitmproxy even if I don't want to generate certificate on client side ? Because I don't have access to the victim's device. – JohnMD – 2015-12-12T17:04:26.637

You generate certificate on your proxy server and only install it on all client devices. If you fail to install it on some device, user of that device will definitely detect MitM attack, because their browser will complain that each and every HTTPS site is untrusted. This is the exact reason for HTTPS existence, after all, so if you couldn't compromise end system, it will do the work and keep user user safe from any interference with their connection. – Nikita Kipriyanov – 2015-12-12T18:10:55.630

Oh man awesome explanation!! If you were my professor seriously I would attend your every lecture at any time! Thank you soo much. +1 rep. – JohnMD – 2015-12-13T04:42:39.353

You will need to set your router to mirror all traffic (if you router support it) to the port you connected your PC.

Alternative you can try MIM attack with ARP spoofing to force traffic to go over your computer (do this only on your own network).

Some sites only allow https connections. You could set up proxy on your network to monitor http traffic.

Sim

Posted 2015-12-10T19:44:20.247

Reputation: 111

Okay! Thank you for the quick response. In the second question, I asked that I'm currently connected to the router with the LAN cable. Why still I can't access packets ? – JohnMD – 2015-12-10T20:17:33.047

Your router is working as a switch(port isolation) locally not as a hub. – Sim – 2015-12-10T20:30:30.580

@JohnMD You are connected to the router via an in-built switch. This means that only trafffic intended for your computer goes to your computer. If your computer was the only one connected to the switch, then you would see all the traffic. It is not, so you don't. It is possible that you will need to set your Ethernet card to Promiscuous mode if Wireshark/WinPcap does not take care of that.

– Andrew Morton – 2015-12-10T20:32:09.887