Wireless Snifing With Wireshark

[barry]

Hi all,

Hope someone can help plz.

Ive recently been playing around with WiFi, recently cracking WEP and WPA1/2.

So what I wanted to do next was start to sniff the wireless networks I was on, other devices traffic (doing this on my own network so dont worry ;) )

So I booted up BT

Put my ALFA awus036h card into monitor mode using airmon-ng

Authenticated onto my WPA2 network

Obtained an ip address

Fired up Wireshark and Tshark but all I could view was my own traffic (On BT) and the traffic my target (other laptop) was sending out on broadcast.

Ive looked at the Wireshark settings but cant for the life of me work out what I am missing

Any help?

-----------------------------

Commands I used -

ifconfig wlan0 down

airmon-ng start wlan0

wpa_supplicant -Dwest -imon0 -c /etc/wpa_supplicant.conf (to connect to my AP, using mon0 not wlan0)

dhclient

fired up wireshark and listened on mon0.... but nothing

------------------------------

Also I tried using both RTL8187 driver and R8187

RTL8187 authenticated but couldnt see anything

R8187 would not authenticate

[Infiltrator]

1) Do you have AP isolation enabled on your wireless router?

2) Make sure airmon-ng is set to listen on a channel, but what baffles me here is that you are authenticated to your wireless network, so technically you should be able to sniff your wireless traffic.

3) Your backtrack machine is it on, a laptop or on a desktop computer? (make sure only the alfa network card is enabled, all other nics disabled).

Edited March 16, 2012 by Infiltrator

[barry]

Thanks for the reply.

1. I dont know what you mean by AP isolation, could you expand please?

2. Thats what I thought, but I then decided it was probably due to Monitor mode not working correctly.

As I understand it you cant just join a network and fireup wireshark, the interface will ignore all traffic apart from broadcast and unicast for its IP. (correct me if I am wrong)

I will try and specify the channel its on.

3. Its on my desktop, yup I was just running the one network card and was ensuring that was the one I was using in wireshark, it was in my list as mon0.

Cheers

[Infiltrator]

AP isolation, is a security feature in wireless routers that helps prevent MITM attacks. It works by isolating each wireless client from each other. So you might want to check if your router has this feature turned on.

Edit: I just went over your post again, and realized that you haven't specified a channel for airmon-ng to listen on.

airmon-ng start wlan0 6

Edited March 16, 2012 by Infiltrator

[digip]

You can't connect on mon0 while trying to do monitor mode. mon0 should be in monitor mode to listen to traffic around you. In order to connect to an access point, it would put the card in managed mode, which only shows your own traffic. Generally, if you have a card with two radios/antennas like the alphas and realteks, you run airmon and you should then get two wifi adapters under ifconfig -a. One to monitor and inject from, and the other to associate and connect with. 1 should be in monitor mode, while the other is in managed mode. Also, if you have only 1 card that has only 1 radio/antenna, then you need two physical cards to do both monitor mode and managed mode for connecting.

[arcane]

I get the same thing when I try to sniff packets with wifi. Home routers act more like a switch then a hub. Try arp spoofing and see if that works :)

Edited April 15, 2012 by arcane