Menu
What's new
By:
Filters Better Search

Wireless packet sniffing with a hub

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

JaimeZX

Senior Member
Hey guys, having a problem with a Linux laptop running Wireshark not picking up the IoT packets I'm trying to examine. One solution suggested to me was to put the IoT on a second wireless router, with that router's WAN port going through a hub to a LAN port on the primary. Then plug the laptop into another port on the hub, so it can see all the packets.

I like this idea, but I haven't had a hub in ages. Found this guy for $12:
https://www.ebay.com/itm/8-port-Ethernet-Hub-by-Allied-Telesyn-FH708E/321468492725

Alternatively, this managed switch is like, $9 but might be overkill. I can set up Port Mirroring, according to the online manual.
https://www.ebay.com/itm/Enterasys-C2G124-24-24-Port-Gigabit-Managed-Ethernet-Switch/372646328357

Thoughts / recommendations? Thanks!!
 
Get the managed switch. But if you want Wi-Fi packets, you need to get them over-the-air. Ethernet will not provide access to 802.11 packets because they're converted to Ethernet before they hit the wire.
 
Right, that's why I would need a hub (or port-mirrored switch) to catch the packets after they go into the router, before they leave for the internet (and vice-versa). I still don't understand why Wireshark on Conspicuous Mode won't see all the packets on a particular SSID, because obviously that would simplify things quite a bit, but it doesn't seem to. Only broadcast packets or those to/from the laptop. Open to suggestions there as well...
 
JaimeZX said:
Right, that's why I would need a hub (or port-mirrored switch) to catch the packets after they go into the router, before they leave for the internet (and vice-versa). I still don't understand why Wireshark on Conspicuous Mode won't see all the packets on a particular SSID, because obviously that would simplify things quite a bit, but it doesn't seem to. Only broadcast packets or those to/from the laptop. Open to suggestions there as well...
Click to expand...
I'm confused as to what you are trying to do. If you are trying to see 802.11 (Wi-Fi) packets, these can only be captured over the air, not on the wire.
 
@JaimeZX Wireshark won't see the traffic, even in promiscuous mode, because you are running it on your laptop. It is the switch that decides which ports to send the traffic down, not your laptop's NIC. So the laptop doesn't receive any of the unicast traffic for the IoT device.
 
thiggins said:
I'm confused as to what you are trying to do. If you are trying to see 802.11 (Wi-Fi) packets, these can only be captured over the air, not on the wire.
Click to expand...
Yes, obviously. But if I put a hub between the WAP and modem, and put a laptop on another port of that hub, then I can see ALL the packets, because the WAP has converted them to ethernet.
The point is, I want to see all traffic going to/from IoT device X. Obviously with the above / Hub solution I will have to make a few assumptions, but if I send it some commands from my phone, I can expect to see outbound traffic to AWS, and then back in from AWS to the device, and then acknowledgements back from the device to AWS, which then bounce into my phone to toggle an on/off icon in the app.

ColinTaylor said:
@JaimeZX Wireshark won't see the traffic, even in promiscuous mode, because you are running it on your laptop. It is the switch that decides which ports to send the traffic down, not your laptop's NIC. So the laptop doesn't receive any of the unicast traffic for the IoT device.
Click to expand...
So, I totally believe you because you're not the first person to say that. I just don't understand why that's the case. In promiscuous mode, where the laptop is not connected to a network but is merely sniffing packets out of the air, why can't it see All The Things?*

* Edit: I don't have WireShark up & running right now because my wife is using the laptop for other things. lol
 
To sniff WiFi packets "out of the air" you need a WiFi adapter capable of operating in monitor mode. Merely having your laptop in promiscuous mode is not enough.

Ethernet switches or wireless APs only send unicast traffic to a specific port or client (STA)*. To send it to every client would be hugely inefficient. This is how "hubs" work and why they are not used anymore. They have been replaced by switches that do not flood all ports with all traffic.

So your original idea to use a hub (rather than a switch) will work.... if you can find such an old device. But as Tim suggested it would be preferable to buy a modern switch with port mirroring capability.

* To clarify; theoretically a WiFi adapter in promiscuous mode ought to be able "see" all the traffic being broadcast by the AP it is connected to. But traffic between other hosts will be encrypted so you won't be able to capture it.
 
Last edited:
100% on the same page here. That's why the laptop has to be running Linux; Windows Wireshark doesn't support Monitor mode. Still the same issue. Weirdly, I'm pretty sure I made it work the very first time I opened up Linux Wireshark, but because I had no idea what I was doing at the time I didn't gather the requisite data.

Also tracking Hub vs Switch. Hence the links I provided at top. Still hoping a co-worker might have an old hub lying around so I don't have to spend money on this project. :p Otherwise if one of the above eBay solutions aren't great, the Netgear GS105 does port mirroring. Just don't know what I would do with the $50 thing after I finish with this project. In a couple of years when I have a house I'll be in longer term I'll wire it up with cabling, big NAS, etc., but presumably there'll be better switch solutions at that point than a $50 something from 2018.
 
JaimeZX said:
100% on the same page here. That's why the laptop has to be running Linux; Windows Wireshark doesn't support Monitor mode. Still the same issue. Weirdly, I'm pretty sure I made it work the very first time I opened up Linux Wireshark, but because I had no idea what I was doing at the time I didn't gather the requisite data.
Click to expand...
When Tim published his article Build A Wi-Fi Performance Analyzer For $75 he noted that it was very hard to find any WiFi adapters that supported monitor mode.

EDIT: To clarify an earlier point; theoretically a WiFi adapter in promiscuous mode ought to be able "see" all the traffic being broadcast by the AP it is connected to. But traffic between other hosts will be encrypted so you won't be able to capture it.
 
Last edited:
To clarify the discussion, you don't need/want to analyze the actual WiFi frames, you want to analyze the Internet bound traffic flows from the IoT devices.

Four options:

1.) Grab them via WiFi
- requires very specific hardware with specific drivers
- generally easier on Linux to find supported drivers, but there are Windows options (at least there used to be...it has been many many years since I toyed with this)
- rarely will a cheap WiFi device offer this feature set
- this is more work than its worth if you are just trying to analyze the IP flows

2.) Grab them via a hub
- requires purchase of a hub...they do still exist...I have one at my house from the early 2000s kept around just for this reason
- won't work well for high bandwidth stuff, but probably just fine for IoT
- requires the hub being put in-line

3.) Grab them via a managed switch
- requires purchase of a switch that support port-mirroring
- requires the switch being put in-line
- can support higher bandwidth services

4.) Grab them via the router/firewall
- requires having a device that supports PCAP
- I run a SophosXG firewall and can do tcpdump directly on the box (pfSense, OPNSense, or just about any other Linux or BSD based x86 box can)
- this is my preferred method these days since it requires no changes to anything to be able to see the flows
- capture PCAP to disk, SCP off of FW, open in Wireshark, geek out
 
1) Right, this is my preferred COA
2) Not really considering this now since Hubs are hard to find and managed switches are not too expensive, I guess.
3) This one is looking decent: https://www.amazon.com/dp/B00K4DS5KU/?tag=snbforums-20
4) So someone explained in another thread why tcpdump isn't working for me. I've tried it several times with no success. This WOULD be my preferred method. Now, THIS ( https://www.snbforums.com/threads/enabling-port-mirroring-asus-rt-ac66u.23181/ ) seems promising, but if tcpdump doesn't work I'm not sure why internal port mirroring would work either.

Thoughts?
 
You must log in or register to reply here.

Similar threads

J
sniffing wireless traffic
Replies
11
Views
743
PR3MIUM
PR3MIUM
D
VLAN Config Query using pfSense and Unifi
Replies
18
Views
1K
awediohead
A
A
Confused about subnets and vlans
Replies
11
Views
1K
sfx2000
sfx2000
H
Wireless Router to use with SKY FTTP broadband and Sky hub
Replies
1
Views
611
sfx2000
sfx2000
M
Solved Infos about fixed Issues with chromecast on shield and homekit (bonjour and mdns)
Replies
2
Views
676
Memzila
M

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 873 (members: 17, guests: 856)
Top