How does a wireless router send a packet in a way only the requested computer will receive it?

9

1

As far as I know, a wireless router communicates with computers on a certain radio channel, and when a computer wants to join a network, it searches all of its channels to find a wireless router transmission, then sets this channel as the default and communicates with the wireless router on that channel.

Now, if we are talking about a wireless network with several computers on it,
I know (based on what I saw on Wireshark on my computer) that any computer can see any packet sent from any of the computers to the wireless router (is this because they are all transmitting at the same channel?),
but I could not see what the wireless router transmitted to the other computers.

How can the wireless router do this?

It's supposed to transmit on the same radio channel, so every computer should be able to catch it (and then decide to keep it or to drop it based on the target IP address), right?

itayza88

Posted 2013-02-17T21:04:12.357

Reputation: 111

Are you positive that Wireshark was properly configured, so that the premise of your question is correct? – sawdust – 2013-02-17T23:28:27.177

1Any computer with a WiFi adapter can receive all transmissions from the router. But the WiFi adapter and the software behind it knows to ignore messages not addressed to that computer. Plus, if encryption is enabled, messages sent to other computers will not be able to be decoded, other than reading their address info. – Daniel R Hicks – 2013-02-18T01:38:21.857

Answers

3

Maybe your computer is only seeing packets sent to broadcast and multicast addresses. Most PC operating systems are quite noisy, so you'll see frequent broadcasts from them. What you wouldn't see is "unicast" traffic, including all traffic from TCP, e.g. web-browsing.

If you want to intercept non-broadcast traffic on a modern wired switch, you actually need to run an arp-spoof attack. C.f. ettercap.

If you want to intercept non-broadcast traffic on a wireless network, I believe you need to look at configuring a monitor-mode interface. I believe this should work for networks protected by a single password ("PSK", as in WPA2-PSK). It's a bit involved, not supported by all hardware or drivers, and I don't know how difficult it is on Windows.

sourcejedi

Posted 2013-02-17T21:04:12.357

Reputation: 2 292

1Note: The question asks about wireless networking. Is this answer about wireless or wired networking? – cpast – 2013-02-17T21:17:47.997

Heh, I believe it applies to promiscuous mode on a STA-configured interface (i.e. normal wlan0). In PSK networks (pre-shared-key, i.e. single shared password used by all connected computers) I believe you can sniff unicast traffic if you configure a monitor interface. – sourcejedi – 2013-02-17T21:26:07.547

That sounds right. Is that how aircrack works, and why it needs monitor mode? – cpast – 2013-02-17T21:27:30.053

I don't know about it in that much detail, sorry. – sourcejedi – 2013-02-17T21:34:08.180

0

I believe your understanding is incorrect.

When speaking about a wired network there is only 1 channel, and when speaking of a wifi network all clients of an Access Point share the same channel.

I think you will find it works as follows (for Internet/IP based networks)

  1. Client wants to send a packet.
  2. It broadcasts a message to everything on the same subnet as it is in saying "What MAC address corresponds with this IP ?"
  3. The responding server responds "Me, here is my MAC address".
  4. Future communications are addressed to that MAC address. (If the server is
    not on the LAN, the same thing applies, only the "Default Gateway is used in place of the server, ie the next hop. This is typically figured out based on the netmask and IP address or equivalent).

The logic bit that is missing is that the switches the devices plug into (on a Wired network) route between MAC addresses. This increases privacy and also allows faster communication [ if for example, you have 4 pc's all connected to 1 switch with PC1 plugged into port1, PC2 to port 2 etc, PC1 can speak to PC2 while PC3 speaks to PC4 at maximum speed - although if PC1 and PC2 both want to speak to PC4, the bandwidth is shared on port 4].

This basic "routing" of MAC addresses is what differentiates a switch from a (now obsolete technology) hub - and in fact a hub could see all the traffic between server and clients. [ Note that a WIFI connection is similar to a hub, and also some smart switches have special monitor port(s) which can be configured to dump a copy of all traffic for, for example, spying or network analysis ]

davidgo

Posted 2013-02-17T21:04:12.357

Reputation: 49 152

1You're answering the wrong question. The tag is "wireless", and the OP is using the abbreviated "router" terminology, when he/she really means "wireless router". – sawdust – 2013-02-17T23:33:19.077

@sawdust2, no. You modified the question after I asked it, and besides, my answer addressed both the wired and wireless cases as it was not clear to your question. – davidgo – 2013-02-17T23:36:46.440

1Yes, I did re-edit the post after two other users, but I also reviewed the original question to preserve the intent. The OP's understanding may not be "incorrect" as you assert. The actual question is about the difference seen between packets to the wireless router versus packets from the wireless router. Your brief mention of hubs and WiFi doesn't begin to address any aspect of this question at all. – sawdust – 2013-02-18T00:14:51.643

The original question stated *"I know (based on what I saw on Wireshark in my computer) that any computer can sniff\catch any packet sent from any of the computers to the router ... but I could not see what the other computers recieved from the router."* This cannot happen on a wired network with either a switch or a hub (unless the Wireshark config/filtering is messed up). – sawdust – 2013-02-18T00:29:50.607

@sawdust - you are wrong and may want to brush up on your network skills. http://landetective.com/products/internet-monitor/manual/traffic-analysis.html might help fill the specific gap in your knowledge. For a start, note specifically the sentence of the Paragraph headed "Monitoring Internet Traffic in the PROMISCUOUS MODE" which states "Just turn on the special – promiscuous – operating mode for your network adapter. In this mode, network adapter accepts all packets flowing within the network segment indiscriminately." [ but really you need to read the whole thing to understand ]

– davidgo – 2013-02-18T03:00:50.167

Also, most (even low end WIFI) routers have 4 LAN ethernet ports bridged to form a switch, and note how the word "wireless/radio" is missing in the question originally asked. – davidgo – 2013-02-18T03:03:45.667

Obviously you have not carefully read the revisions of the question or my comments to understand the fine point that the question asks. A switch, once it learns which hosts are on which of its ports, is not going to continue to send any/all packets from any/all computers for Wireshark to capture. A hub is not going to restrict packets from a wired router (or any host) at all. Even after I made salient words bold, you apparently still don't understand the circumstances. And there's no need for you to try to explain promiscuous mode. – sawdust – 2013-02-18T03:59:01.477

Asked: 2013-02-17T21:04:12.357

Viewed: 2 850 times

Active: 2013-02-17T23:26:06.150