Jump to content

Wireshark


wqevwevqwevqwrevwfd
 Share

Recommended Posts

I downloaded wireshark and it seems that it only can capture packets from the PC where wireshark is installed on, what am I doing wrong? This is in my home setup I haven't got the time to test it out out side of the home network.

note, I just bought a WRT54GL router

this is the setup of wirehark:(running on windows 7)

post-18384-1270992304_thumb.jpg

and this is what I see:

post-18384-1270992679_thumb.jpg

and on my capture PC I have nothing on all the other PC's are stand-by only 1 pc is using youtube

Edited by nivong
Link to comment
Share on other sites

Thatis what wireshark does, it captures packets on your machine from your NIC, locally. To see packets on the network that aren't yours, one of two things need to be in place depending on if you use wired or wireless.

Wired: 1, you need to be using a hub which broadcasts packets to all nodes on the hub, or 2, MITM another node on the same subnet.

Wireless: MITM a client on the same subnet, or 2, have a wireless card that can do monitor mode and see all the packets in the air(so long as they are not encrypted, ex: wep or wpa). Now to do the monitor mode, most nics will require you to use Linux, but only if the card is supported for Monitor mode. Windows can do it with special cards but also reuire custom drivers unless you go with something like Cace Airpcap cards which work with Wireshark natively in windows: http://www.cacetech.com/products/airpcap.html

Link to comment
Share on other sites

Thatis what wireshark does, it captures packets on your machine from your NIC, locally. To see packets on the network that aren't yours, one of two things need to be in place depending on if you use wired or wireless.

Wired: 1, you need to be using a hub which broadcasts packets to all nodes on the hub, or 2, MITM another node on the same subnet.

Wireless: MITM a client on the same subnet, or 2, have a wireless card that can do monitor mode and see all the packets in the air(so long as they are not encrypted, ex: wep or wpa). Now to do the monitor mode, most nics will require you to use Linux, but only if the card is supported for Monitor mode. Windows can do it with special cards but also reuire custom drivers unless you go with something like Cace Airpcap cards which work with Wireshark natively in windows: http://www.cacetech.com/products/airpcap.html

Thanks for the awnser(s) I use a wired connection with a HUB, so you have:

Cabel modem > ROUTER > HUB > PC1

...............................................> PC2

...............................................> PC3

etc. so you think it's because of the HUB?

Edited by nivong
Link to comment
Share on other sites

A true hub will allow you to see all the traffic, a switch will only send to the party its intended for unless you do a MITM or its a high end device like an Cisco Enterprise switch that can do port mirroring. Home switches dont do port mirroring, and most home consumer switches say stuff like 4 port ethernet hub on them, when in reality they are a router/switch combo.

If its a real hub and not a switch, it would work like any repeater, everyone will see the traffic since it will broadcast anything it receives on one port to all its other ports.

Edited by digip
Link to comment
Share on other sites

I downloaded wireshark and it seems that it only can capture packets from the PC where wireshark is installed on, what am I doing wrong? This is in my home setup I haven't got the time to test it out out side of the home network.

note, I just bought a WRT54GL router

thanks for asking this nivong!

I was just playing around on wireshark in BT4 and was wondering why I was only seeing MY traffic and not the wife's who was on her netbook in the other room! I had not set my alfa to monitor mode to listen to everything!

I love how much I can learn from reading on here and trying things!

Edited by Inked
Link to comment
Share on other sites

thanks for asking this nivong!

I was just playing around on wireshark in BT4 and was wondering why I was only seeing MY traffic and not the wife's who was on her netbook in the other room! I had not set my alfa to monitor mode to listen to everything!

I love how much I can learn from reading on here and trying things!

go re-read your topic

dont use monitor mode for MITM

Link to comment
Share on other sites

Is the HUB a HUB or a switch?

It's a HUB as i mentoid earlier, it's a cheap 100 mb/s hub ICICU (is the company) it was something like 5 euro

In all honesty, I've not seen hubs since 10Mbit was fast, and if its 1GBit there is no chance it will be a hub.

Well mine HUB is 100 MB/s

thanks for asking this nivong!

I was just playing around on wireshark in BT4 and was wondering why I was only seeing MY traffic and not the wife's who was on her netbook in the other room! I had not set my alfa to monitor mode to listen to everything!

I love how much I can learn from reading on here and trying things!

indeed, there are a lot of nice people here that are willing to help! love it allready :D!

added images to the first post

Edited by nivong
Link to comment
Share on other sites

Thatis what wireshark does, it captures packets on your machine from your NIC, locally. To see packets on the network that aren't yours, one of two things need to be in place depending on if you use wired or wireless.

Wired: 1, you need to be using a hub which broadcasts packets to all nodes on the hub, or 2, MITM another node on the same subnet.

Wireless: MITM a client on the same subnet, or 2, have a wireless card that can do monitor mode and see all the packets in the air(so long as they are not encrypted, ex: wep or wpa). Now to do the monitor mode, most nics will require you to use Linux, but only if the card is supported for Monitor mode. Windows can do it with special cards but also reuire custom drivers unless you go with something like Cace Airpcap cards which work with Wireshark natively in windows: http://www.cacetech.com/products/airpcap.html

more like ettercap -i wlan0 -Tq -M arp:remote // //

so then you get ALL clients :D

Link to comment
Share on other sites

nivong,

It might help you out to read my post regarding wireshark problems. I believe we are having very similar issues.

http://www.hak5.org/forums/index.php?showtopic=16179

I already read it but I don't use a wlan connection I use a LAN connection. But yea it's kinda the same problem.

more like ettercap -i wlan0 -Tq -M arp:remote // //

so then you get ALL clients :D

What does it do ? capture packets from all clients in your area?(even if your not connected to the AP?)

I forgot to mention I use wireshark on windows 7, also tried in backtrack (4) but no luck. so it's not related to the OS. I think there will be something wrong with my network(well wrong, clad my network is save lol) Today I will test it out somewhere. Stay tuned!

Edited by nivong
Link to comment
Share on other sites

I already read it but I don't use a wlan connection I use a LAN connection. But yea it's kinda the same problem.

What does it do ? capture packets from all clients in your area?(even if your not connected to the AP?)

I forgot to mention I use wireshark on windows 7, also tried in backtrack (4) but no luck. so it's not related to the OS. I think there will be something wrong with my network(well wrong, clad my network is save lol) Today I will test it out somewhere. Stay tuned!

no it mitm's all the users on the AP

you HAVE TO BE ON THE AP FIRST so you need to go back a step

Link to comment
Share on other sites

still no luck tested with cain and able and even that one cound't find anything only from the sniffing PC. I thing its my hub that's blocking it.... that it is a cheap not good working HUB that need to be replaced couse it's acting like a switch!

Build a passive tap.

http://www.sun.com/bigadmin/content/submit...thernet_tap.jsp

You can see a slightly convoluted thread about them here.

http://www.netstumbler.org/f17/humble-request-22694/

Link to comment
Share on other sites

Dumb question, but what kinds of cables ar eyou using with the hub? Crossover, straight through, etc?

Link to comment
Share on other sites

If you buy another HUB it will probably be a switch too... HUBs are a thing of the distant past.

Well my HUB is a real HUB it's like 5 years old thing that already need to be replaced a long time ago :P

Dumb question, but what kinds of cables ar eyou using with the hub? Crossover, straight through, etc?

Well it's hard to tell becouse there are all plugged in but I think there are al straight cat 4-5

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...