5
0
System Setup:
- MacBook Air running Mountain Lion and connected wirelessly to a router.
- Wireshark installed and capturing packets (I have "capture all in promiscuous mode" checked)
- I filter out all packets with my source and destination IP using the following filter (
ip.dst != 192.168.1.104 && ip.src != 192.168.1.104
) - On the same network as the MacBook, I use an Android device (connecting via WiFi) to make HTTP requests.
Expected Results:
- Wireshark running on the MacBook sees the HTTP request from the Android device.
Actual Results:
- I only see SSDP broadcasts from
192.168.1.1
Question:
What do I need to do so that Wireshark, like Firesheep, can see and use the packets (particularly HTTP) from other network devices on the same network?
UPDATE
- How can I capture other computers traffic in Wireshark on a WiFi-network? seems to imply that it is not possible
- This seems to describe my problem: http://seclists.org/wireshark/2010/Jan/70
- I am confident the network interface is in promisc mode because when I run
ifconfig
I geten0: flags=8967<UP,BROADCAST,DEBUG,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
I am connected wirelessly and I am authenticated using WPA onto the network. I still do not see the packets from other authenticated devices on the network. Do I need to impersonate the IP or MacAddress of the other machines? – eb80 – 2012-10-31T14:57:36.350
1
No, you do not need to spoof your MAC or IP. Go to http://wiki.wireshark.org/HowToDecrypt802.11 and ensure that you have setup the decryption correctly. If it is setup incorrectly, you'll only see encrypted traffic at the layer 2 level. Also you must capture the eapol handshake (you can filter eapol packets) for wireshark to decrypt on the fly, so cycle turn off and back on the wifi of the device you are trying to capture. Some helpful details here, but for a linux box: http://wolfhoundsec.blogspot.com/2010/06/monitoring-wpa2-wireless-traffic-w.html. Finally, have a ws version past 0.99.5.
– Fred Thomsen – 2012-11-01T01:24:35.163errrr... I just spent an hour on this and I still cannot get it to work. 1. I checked by filtering "eapol" and I see four packet frames. 2. I added my WPA-PWD info to the keys 3. I toggled all different combinations of FCS and protection bit 4. I am using Wireshark 1.8.3..... what else am I missing? – eb80 – 2012-11-03T21:35:40.580