1
I'm experimenting with packet sniffing and log examination using Wireshark, and I'm quickly realizing that I'm not nearly as safe as I should be when using public hot spots. In efforts to better protect myself, I'm trying to learn the tools of the trade as it were, and figure out just what I'm leaking, and how to find it.
I have a 2011 Macbook Pro, and I'm using the airport
command (Google will help you create a symlink if you're interested) to sniff packet data using my wireless card (en1
) on a specific channel.
sudo airport en1 sniff 6
In 60 seconds I captured about 2MB worth of data. I live in an apartment complex, and a scan showed (unsurprisingly) that most of the networks were on channel 6, so that's the one I sniffed. (This is also the channel that my WiFi router uses.)
But, to the question: While I was sniffing the channel, I used a second device with WiFi to connect (unsecurely, HTTP) to Facebook and logged in. The goal for this exercise was to determine if I could find my own password stashed in the packets somewhere.
I tried using a few different filters in Wireshark to narrow down the traffic, but nothing seemed to match the filters I tried:
http.request.uri matches "facebook"
And also:
ip.addr == 66.220.149.76
(This is the IP for m.facebook.com
, I was using a smart phone.)
But no traffic seemed to match the filter. I'm very new to this, so I'm not sure which step I have fumbled.
- Does it matter that my router does not broadcast an SSID?
- Are my filters correctly formatted/defined?
- Should I be scanning on a different channel? My router is specifically set to 6, not Auto or any other option.
Interestingly enough, that filter doesn't work either. I opened the packet file using TextWrangler and was able to search for "facebook" (and found a couple mentions of it) but WireShark still finds nothing when using any of the filters. – Craig Otis – 2011-12-14T23:31:38.157