2

I am in promiscuous mode and I am using my one computer to sniff the network traffic. On both a separate computer and my phone I logged into the same http site and entered in some test credentials to see if the traffic would show up in wireshark. To my surprise it did not. I have done this many times before but for some reason it's not working for me now.

I can see that my other computers are on the network (if I ping them the ICMP packets will show up). I can't see any websites that they're visiting now though. I can only view web traffic that is coming from the laptop running wireshark.

Any thoughts/ideas as to why my wireshark is acting as if it is not in promiscuous mode? I have tried to turn off and on the promiscuous mode, restart wireshark, etc.

Edit:

All devices are connected to the same WLAN, no ethernet cables used to connect devices to router.

Michael
  • 861
  • 2
  • 9
  • 19
  • Could you add some details about your network architecture? – Arminius Aug 20 '17 at 03:15
  • Could it be you are connected to an Ethernet switch, and therefore you won't see the traffic? – Ron Trunk Aug 20 '17 at 03:33
  • @Arminius what kind of details are you looking for? And RonTrunk36 all devices are connected over wifi. I updated the question – Michael Aug 20 '17 at 04:10
  • Do you have any firewall rules that might block what you are wanting to see from your wireshark instance? Most likely you don't but I have once upon a time blocked myself from seeing traffic in this way lol.. iptables. – Yokai Aug 20 '17 at 04:20
  • Actually thats a good point.. I was making changes to my routers firewall a little while back regarding what traffic can be allowed through. Let me get back to you – Michael Aug 20 '17 at 04:23
  • I logged into the router but couldn't find anything. If I'm blocking ports and that's causing the problem, which ports would they be? – Michael Aug 20 '17 at 04:36
  • 1
    In promiscuous mode on wifi, the router does not explicitly redistribute such data, so a blocked port on the router cannot be the problem. But your sniffing machine could drop all packets not for your machine before wire shark can sniff them. – Tobi Nary Aug 20 '17 at 06:50

1 Answers1

5

Wireshark has a setting called "promiscuous mode", but that does not directly enable the functionality on the adapter; rather it starts the PCAP driver in promiscuous mode, i.e. telling it to process packets regardless of their target address if the underlying adapter presents them. This is most noticeable on wired networks that use hubs instead of switches, where in non-promiscuous mode you will see only broadcast traffic and packets unicast to your adapter address, but in promiscuous mode you will see everything - in both cases your adapter is receiving every packet on the network, but in promiscuous mode the PCAP driver doesn't filter out packets not intended for your adapter.

Running a WiFi adapter in promiscuous mode requires some additional work and support by the driver. Normally a driver would implement only the necessary code to receive and process 802.11 frames intended for it to receive. For promiscuous mode to work, the driver must explicitly implement functionality that allows every 802.11 frame associated with the currently connected access point, intended for that receiver or not, to be processed. There's also another mode called "monitor mode" which allows you to receive all 802.11 frames regardless of which AP it came from. Both of these require explicit implementation.

Unfortunately, the devices which implement these are not cheap. At the moment I think only AirPCAP is fully supported for doing this kind of work, and it costs in excess of $500.

It's also worth noting that you can't sniff the network traffic of other users on a network which uses WPA2, as each client exchanges its own session key for encrypting the radio communications between it and the access point. You'll be able to sniff the 802.11 frame headers and some housekeeping packets, but the actual network payloads will be encrypted.

Polynomial
  • 133,763
  • 43
  • 302
  • 380