sniffing wireless traffic

[Justinh]

I'm on a wired Windows PC sniffing net traffic with tcpdump or Wireshark. I can't capture any Internet traffic for the wireless clients - all I get are internal broadcasts like SSDPs and ARPs. Is it not possible to capture Wi-Fi Internet traffic sniffing from and Ethernet client?

 

[L&LD]

How would it capture wireless traffic from the LAN?

You need a WiFi card to do so.

 

[ColinTaylor]

You wouldn't normally expect to see unicast traffic for other devices (wireless or otherwise) on your PC. You would need to capture the traffic on the router.

 

[Justinh]

I'm thinking the wireless traffic would be visible just like the wired traffic - all the devices are on the same subnet.

Colin, can you explain a bit more? So all the sniffing companies and such do are using an in-line device?

I think my VM was giving me false hope, then. I just tested again: I could see the WAN traffic from the host, but not from other wired devices.

 

[ColinTaylor]

I don't know how you've got your equipment setup, but generally speaking... PC1 on the LAN won't receive any of the unicast traffic to or from PC2. This is because the switch in the router knows what physical ports PC1 and PC2 are connected to and will only send each their own traffic. The alternative would be to do what network hubs did in the old days, and flood all ports with all the traffic for all devices. This is obviously very inefficient, which is why people now use switches.

So for example, if PC2 is talking to an internet web server on port 443 over TCP, PC1 should not be receiving any of that traffic. The only traffic PC1 can see that doesn't belong to itself would be local broadcast and multicast traffic.

 

[ColinTaylor]

So all the sniffing companies and such do are using an in-line device?

I don't know what you mean by "sniffing companies". But as I mentioned above you could capture the traffic on the router, or at some other intermediate stage. Wi-Fi is more difficult because unlike ethernet you can't simply insert a network switch inline which has port mirroring capability.

https://wiki.wireshark.org/CaptureSetup/Ethernet

 

[tgl]

Wi-fi, unlike modern ethernet practice, is a shared medium. So if you have a wi-fi card you can capture the traffic on whatever SSID it's tuned to. There are some roadblocks like packet encryption, but at the very least you ought to be able to read beacons and such. I've had success using Wireshark on a MacBook to investigate wifi management traffic such as RNR elements. (But nowadays I find WiFi Explorer to be easier to use for that sort of thing --- it'll show you a nicely-decoded beacon frame for any SSID in range, no tedium at all.)

 

[sfx2000]

I've had success using Wireshark on a MacBook to investigate wifi management traffic such as RNR elements. (But nowadays I find WiFi Explorer to be easier to use for that sort of thing --- it'll show you a nicely-decoded beacon frame for any SSID in range, no tedium at all.)

WiFi Explorer is a great tool - the author there has another tool that makes Wireless Packet Capture a snap...

AirTool Review

wlanprofessionals.com

 

[Justinh]

I don't know what you mean by "sniffing companies".

Yeah, that was poorly worded. I meant companies/orgs that do sniffing on their networks.

Thanks for the clear infos.

 

[Tech9]

To do it on the LAN including WLAN you need port mirroring on your router/firewall or managed switch depending on what is actually running the network plus extra hardware/software also depending on the purpose. I do it for network monitoring proposes on my business networks run by managed switches. I believe most companies do it and there is nothing wrong with it. The question here is what you need it for and what hardware you have available. Home routers don't have port mirroring option and free software tools usually generate limited results. From a client after unmanaged switch (internal for AIO router or external) - won't work.

 

[sfx2000]

I'm on a wired Windows PC sniffing net traffic with tcpdump or Wireshark. I can't capture any Internet traffic for the wireless clients - all I get are internal broadcasts like SSDPs and ARPs. Is it not possible to capture Wi-Fi Internet traffic sniffing from and Ethernet client?

Should note - with Wireshark, you have to run as Admin, not as a regular user, and depending on your wireless adapter, you may be able to capture the WiFi frames if all the stars are aligned

CaptureSetup/WLAN - Wireshark Wiki

 

[PR3MIUM]

Better going with a Wi-Fi Card like Atheros, Ralink or Realtek (ASUS AC68) and Kali Linux for Penetration Testing Purposes.
Otherwise maybe try the Flipper Zero or simillar wich has a lot of 3rd Party Software and Apps like Marauder/Deauth (sniffing, jamming, and many more).