Using Wireshark to track traffic on a Windows Virtual WiFi Miniport

1

I have a Microsoft Virtual WiFi Miniport set up on my laptop with an Android phone connected to it. The laptop is then connected to the outside world through a wired connection. I would like to monitor the traffic from the phone with Wireshark, but I'm having trouble filtering the traffic. I expected to be able to setup a filter on the MAC Address or the IP Address, but so far that isn't working. Here's the set up:

C:\Windows\system32>netsh wlan show hostednetwork

Hosted network settings

Mode                   : Allowed
SSID name              : "Android Test Network"
Max number of clients  : 100
Authentication         : WPA2-Personal
Cipher                 : CCMP

Hosted network status

Status                 : Started
BSSID                  : xx:xx:xx:xx:xx:xx
Radio type             : 802.11b
Channel                : 11
Number of clients      : 1
    xx:xx:xx:xx:xx:xx        Authenticated

The IP Address reported by the Android phone is 192.168.137.205, but I don't see that as the source in any of the traffic. Is what I'm trying to do possible (use Wireshark to monitor Virtual WiFi Miniport traffic) and what might I be doing wrong?

The Android phone does have internet connectivity, so I can verify that the connection is working.

GrandAdmiral

Posted 2014-05-09T20:57:55.087

Reputation: 435

Answers

1

Microsoft Virtual WiFi Miniport

Wireshark uses WinPcap on Windows, and WinPcap doesn't support Wi-Fi adapters very well.

user164970

Posted 2014-05-09T20:57:55.087

Reputation:

Interesting. Is it possible to capture the traffic once the Virtual WiFi Miniport has passed it to the wired Ethernet port? – GrandAdmiral – 2014-05-12T01:41:05.837

1

Yes this is totally do-able. As you know you can capture packets from your Ethernet connection easily, the trick is to share your Ethernet connection with your virtual wifi adapter(see below). You've got your hardware set up correctly (laptop with Ethernet connection). I would suggest setting normal wifi adapter to not connect automatically to your home wireless network while you are running your testing.

These are the steps in Windows 7:

  1. From Control Panel >> Network and Internet >> Network Connections , right click on your Virtual Wifi adapter and share the Ethernet connection with the virtual wifi adapter. (Don't forget to make sure the services and dependent services are running or at least set to manual start)

  2. Open a powershell or cmd prompt as an Administrator and run the following command:

    netsh wlan set hostednetwork mode=allow ssid=networkName key=password

    Where "networkName" is your desired wifi name you will search for on your phone and then connect to. and "password" is ... yup. Make sure your password is more than 8 characters long as this is a requirement for a WPA2. If your network name or password contain spaces make sure to wrap them in 'quote marks'. (suggest avoiding spaces in network names and passwords while testing, some routers and the android OS don't play nicely with encoding these characters).

  3. Now we bring the wifi network up. At the prompt run the following command:

    netsh wlan start hostednetwork

That's it. You shouldn't have an trouble selecting your Ethernet connection in wireshark and setting filters based on IP address now.

I would have taken some pretty screenshots for you but the good folks at University of New Haven made a youtube video on how to do it. There is also a summary on the sophos blog called nakedsecurity that discusses their work and describes recent vulneribilities in Viber and WhatsApp and how the researchers setup their testing network.

bob

Posted 2014-05-09T20:57:55.087

Reputation: 171

Yes, those are the directions I used to set up the network. Unfortunately Wireshark isn't capturing the traffic. – GrandAdmiral – 2014-05-11T02:03:36.460

I've just re-tested the setup and it's seems to be working correctly for me. Perhaps double check that the necessary services and their dependents services are running correctly, specifically Internet Connection Sharing (ICS). – bob – 2014-05-12T16:41:39.880

Do you are able to see the network traffic in Wireshark? I don't have any trouble setting up the network, it's monitoring the traffic that is the problem. – GrandAdmiral – 2014-05-12T16:46:35.600

yes I can see traffic passing through when I monitor my wifi adapter and/or my ethernet adapter. In my case my phone was assigned 192.168.137.26 with a gateway of 192.168.137.1(laptop). When monitoring the wifi adapter I'm seeing packets travel from 192.168.137.26 to the internet and back again. As other poster mentioned some adapters can be unreliable. Do you have a friends laptop you can re-test on or even a usb wifi dongle? – bob – 2014-05-12T17:02:23.607

No, not at the moment. – GrandAdmiral – 2014-05-12T18:37:44.130

Asked: 2014-05-09T20:57:55.087

Viewed: 4 990 times

Active: 2018-08-04T14:00:43.937