Wireshark Not Displaying Packets From Other Network Devices, Even in Promisc Mode

System Setup:

MacBook Air running Mountain Lion and connected wirelessly to a router.
Wireshark installed and capturing packets (I have "capture all in promiscuous mode" checked)
I filter out all packets with my source and destination IP using the following filter (ip.dst != 192.168.1.104 && ip.src != 192.168.1.104)
On the same network as the MacBook, I use an Android device (connecting via WiFi) to make HTTP requests.

Expected Results:

Wireshark running on the MacBook sees the HTTP request from the Android device.

Actual Results:

I only see SSDP broadcasts from 192.168.1.1

Question:
What do I need to do so that Wireshark, like Firesheep, can see and use the packets (particularly HTTP) from other network devices on the same network?

UPDATE

How can I capture other computers traffic in Wireshark on a WiFi-network? seems to imply that it is not possible
This seems to describe my problem: http://seclists.org/wireshark/2010/Jan/70
I am confident the network interface is in promisc mode because when I run ifconfig I get en0: flags=8967<UP,BROADCAST,DEBUG,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

wireshark

eb80

Posted 2012-10-31T03:26:25.580

Reputation: 233

Answers

If you are not connected via ethernet to you home router, most likely that home router than the home router uses a switch for its LAN ports and not a hub, thus each port has its own collision domain, whereas in a hub the collision domain is shared among all the ports and you would see all traffic on every port.

If you are connected wirelessly, there may be a few issues. First, certain wireless cards' drivers do not support being put into promiscous mode. Nothing can be done about that unless you want to write your own. Second, if your network is encrypted and you are only seeing layer 2 traffic from various sources and not the higher layer protocols expected (which doesn't appear to be the case), then you must enter the WEP key into wireshark so it can handle the decryption. WPA and WPA2 decryption get more complicated, as older versions of wireshark do not support it, and if it is supported, then you must capture the entire handshake taking place between the router and the device (EAPOL packets), as unique keys are generated between the device and router.

Fred Thomsen

Posted 2012-10-31T03:26:25.580

Reputation: 1 307

I am connected wirelessly and I am authenticated using WPA onto the network. I still do not see the packets from other authenticated devices on the network. Do I need to impersonate the IP or MacAddress of the other machines? – eb80 – 2012-10-31T14:57:36.350

No, you do not need to spoof your MAC or IP. Go to http://wiki.wireshark.org/HowToDecrypt802.11 and ensure that you have setup the decryption correctly. If it is setup incorrectly, you'll only see encrypted traffic at the layer 2 level. Also you must capture the eapol handshake (you can filter eapol packets) for wireshark to decrypt on the fly, so cycle turn off and back on the wifi of the device you are trying to capture. Some helpful details here, but for a linux box: http://wolfhoundsec.blogspot.com/2010/06/monitoring-wpa2-wireless-traffic-w.html. Finally, have a ws version past 0.99.5.

– Fred Thomsen – 2012-11-01T01:24:35.163

errrr... I just spent an hour on this and I still cannot get it to work. 1. I checked by filtering "eapol" and I see four packet frames. 2. I added my WPA-PWD info to the keys 3. I toggled all different combinations of FCS and protection bit 4. I am using Wireshark 1.8.3..... what else am I missing? – eb80 – 2012-11-03T21:35:40.580

To capture Wi-Fi traffic of other systems you will have to put your network adapter in monitor mode, this is a requirement specific to Wi-Fi. In Windows, that means buying a special adapter like AirPcap. For Linux use airmon-ng. In the MacBook I am not sure how, but see a lot of Google hits on the subject. It is also true that you want to be in promiscuous mode, but the hub thing is only needed for ethernet.

I put my NIC into monitor mode and I could see lots of other traffic around, but still I could not see HTTP/SMTP/etc. application-level traffic from my local WiFi network.

At the application level the traffic will be encrypted just as Fred Thomsen says in his post. You will need to research how to setup WireShark and your AP to decrypt this traffic.

Matt Shirilla

Posted 2012-10-31T03:26:25.580

Reputation: 111

I spent a while Googling this and I also used TCPDump from the command line. I simply could not get my NIC to recognize wireless traffic from other hosts on the same wireless network. I put my NIC into monitor mode and I could see lots of other traffic around, but still I could not see HTTP/SMTP/etc. application-level traffic from my local WiFi network. Any other ideas? – eb80 – 2012-10-31T20:40:17.077

As Matt Shirilla said, "At the application level the traffic will be encrypted just as Fred Thomsen says in his post. You will need to research how to setup WireShark and your AP to decrypt this traffic." See the Wireshark Wiki "How to decrypt 802.11" page.

– None – 2013-12-30T18:54:34.297

If your Macbook is connected by Ethernet to the WiFi router then this could be the reason:

Probably the WiFi router is acting as a switch (and not a hub). And hence the MacBook is not seeing the HTTP packets at all.

Aditya Naidu

Posted 2012-10-31T03:26:25.580

Reputation: 156

I am connected via wireless (interface en0) to the WiFi router. – None – 2012-10-31T03:46:24.080

how do I get the MacBook to act as a hub then? – None – 2012-10-31T03:50:19.243