First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Wireshark can't sniff smartphones traffic even if it correctly sniffs laptop traffic

Hi all,

I'm using Wireshark to sniff traffic of my home wi-fi network, where different smartphones and 1 laptop (name it: PC_target) are connected via Wi-Fi (no cable connection at all, just wifi). Wireshark is running on a second laptop (name it: PC_wireshark), and it has been properly configured so that I'm perfectly able to sniff AND DECRYPT all traffic generated from PC_target (EAPOL, HTTP, DNS, TCP, ICMP and so on). I see every packet, even if those packets are not directed to PC_Wireshark. This is possible because I properly set network interface to Monitor Mode, set proper channel, set IEEE 802.11 decription, properly set WPA password:SSID, waited for laptop to disconnect and reconnect to the network, got EAPOL packets, and so on. So in the end, I can 100% sniff laptop traffic.

Problem is that, when I perform same exact steps in order to sniff traffic from one of the available smartphones, I don't get any EAPOL packet and so can't sniff anything that is encrypted. I'm really stuck since I can't understand why same configuration allows me to sniff PC_target, but doesn't allow me to sniff smartphones.

Can someone help?

manumsn's avatar
1
manumsn
asked 2020-04-09 09:35:09 +0000
grahamb's avatar
23.8k
grahamb
updated 2020-04-09 10:21:58 +0000
edit flag offensive 0 remove flag close merge delete

Comments

So what you're saying is that you can't get the smartphone to send EAPOL packets, while you can get the PC_target to do that? That's not what the title suggests. Or do you see no traffic at all from the smartphone. You elaborated on the PC_target capturing, which is a cool achievement, but say little about the troubled smartphone platform and its interactions. Please do so.

Jaap's avatar Jaap (2020-04-09 10:17:27 +0000) edit
more
  • delete

Are the smartphones connecting to your WiFi or the Mobile network?

Anders's avatar Anders (2020-04-09 11:41:55 +0000) edit
more
  • delete

If the smartphones are connected to the WiFi are they using the same channel as PC_target? APs often support a channel in both 2.4Ghz and the 5Ghz bands concurrently. Could the PC_target have connected on a 5GHz channel while the smartphones have connected on a 2.4GHz channel or visa-versa?

Jim Young's avatar Jim Young (2020-04-09 12:24:23 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Solution has been found, see below. Find also in the end another question on this topic.

@Jim Joung: thanks a lot. Problem is that router is using both 2.4GHz and 5GHz bands at the same time. According to "$ Airodump-ng mon0" command, router is using channel 6, so I used to set Wireshark to use same channel by selecting "Channel 6 - 2.437" on top panel, and this worked fine to sniff PC_Target, which I verified was connecting on that 2.4 band. However, checking into router logs, I found out that all the available smartphones were connecting on 5GHz band. After some checks I found that proper channel for them was "Channel 48 - 5.240". After setting this channel on Wireshark I can now sniff EAPOL of smartphones too.

@Jaap: you are right, but I decided to write a title somehow generic in order to reach as many different people as possible who might have same issue.

@Anders: thank for support, devices were of course connected to Wi-Fi and not to Mobile Network.

Question for all: even if airodump-ng was stating router was on Channel 6, in the end I had to manually switch Wireshark on a different channel in order to sniff smartphones traffic. However, there are something around 20 different channels on 5GHz band, and only one of them was the correct one. I had to test them one by one, and it's been very slow. Is there a way to immediately find which channel must be selected for a specific device, when router is behaving like this?

manumsn's avatar
1
manumsn
answered 2020-04-09 14:25:42 +0000
edit flag offensive 0 remove flag delete link
more

Comments

You want channel hopping for Windows?
https://wiki.wireshark.org/CaptureSet...

Chuckc's avatar Chuckc (2020-04-09 14:35:27 +0000) edit
more
  • delete

Not at all, I'm not using windows but Kali Linux. Anyway I gave a look at the link, and channel hopping could be a solution. With Channel Hopping one could hop between different channels and collect some traffic related to different devices, then inspect the "802.11 radio information" header and find channel and frequency for that specific device. Then knowing that, stop Channel Hopping and tune Wireshark on that specific channel, in order to get complete EAPOL. Thanks for suggestion.

manumsn's avatar manumsn (2020-04-09 14:56:04 +0000) edit
more
  • delete

Per the man page,

By default, airodump-ng hop on 2.4GHz channels.

I suspect this is why you only observed your 2.4 devices. There are options to enable scanning 5GHz or your own preset channel list with airodump-ng. Horst is another tool that scans for wireless networks in Linux, as do kismet and bettercap:

Bob Jones's avatar Bob Jones (2020-04-10 10:28:43 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer