Hi Folks,
I'd like to capture all packet activity (eventually looking at video streams) using WireShark. I have a Macbook Pro and wondering if I can do this over the WiFi interface, knowing the iphone address of my phone? I have tried promiscuous mode but only get MDNS. Trying Monitor mode is not getting anything when i filter for my IP address.
Any tips?
Thanks!
Some of the reasons monitor mode capture won't show IP address include: capturing on the wrong channel, capture setup cannot pick up the data frames you want, the traffic is encrypted, and others.
You almost certainly have a switched network which filters frames not destined for your host and wireless adapters drop unicast traffic not destined for the interface unless in monitor mode.
The best option to collect traffic if you care about anything above L2 is to collect wired network traffic with a network tap or other technique (mirror port, etc) as it will be much easier to analyze. You can collect this at the wired side of the AP or perhaps in front of the router or other suitable place.
If you have to do wireless capture, then work through all the issues in the wiki to setup your monitor mode capture.
Thanks Bob!
The network is all Wi-Fi with a combo fiber modem and router. The mac and the phone are on the same subnet via Wi-Fi. The Wi-Fi password is entered into wireshark, as far as I know correctly.
Specifically if I want to monitor the phone traffic on the mac, what would be the path of least resistance? Plugging into the router/modem is certainly not a problem.
Thanks!
For decryption, WPA2 requires the passphrase as well as capturing the 4-way handshake. WPA3 would not decrypt at all using this method.
If you have a commercial router/AP combo, then the ability to get data out is very limited. Some ideas include using your PC as an AP and having the phone connect to it. Or perhaps try one of the ap/routers that have third party Linux firmware like OpenWRT as they usually have more capability.
Comments