Jump to content
Sign in to follow this  
Zajt

Not receiving ICMP requests

Recommended Posts

Hey!

I am running "tcpdump -w output.pcap -i wlan1"  on my WiFi Pineapple, then "ping -s 1000 8.8.8.8"  from my phone which is connected to the same WiFi as wlan1 is from the Pineapple dashboard. But I don't see any ICMP requests with large size in wireshark.
Before I run the tcpdump command on the WiFi pineapple after ssh:ing into it, I set it to promiscuous mode with "ifconfig wlan1 promisc"

This is the output of "ifconfig wlan1"

wlan1     Link encap:Ethernet  HWaddr 00:C0:CA:A5:C9:59  
          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

 

Anyone know why I don't see any ICMP requests after opening output.pcap in Wireshark?

 

Thanks in advance!

Share this post


Link to post
Share on other sites
On 1/24/2019 at 7:59 AM, Zajt said:

Anyone know why I don't see any ICMP requests after opening output.pcap in Wireshark?

dump from the br-lan interface and seewhat you get

Share this post


Link to post
Share on other sites
On 1/25/2019 at 11:36 AM, Just_a_User said:

dump from the br-lan interface and seewhat you get

But br-lan is USB for ethernet to host, so if we ping there we will see it, but this will only work if we ping from the host computer. We wanna ping from other devices, like my phone connected to the same WiFi and then receive it and see the requests in Wireshark after we have run tcpdump. Is this possible? 

Share this post


Link to post
Share on other sites
20 hours ago, Zajt said:

But br-lan is USB for ethernet to host, so if we ping there we will see it, but this will only work if we ping from the host computer. We wanna ping from other devices, like my phone connected to the same WiFi and then receive it and see the requests in Wireshark after we have run tcpdump. Is this possible? 

Did you try it?

I just had a quick play with tcpdump on my tetra. Using tcpdump capturing br-lan i was seeing pings from a phone on the open wifi of the pineapple. I dont have a second device easily to hand at the moment so cant test between two wifi devices.

But when doing that i do see pings from my test phone (172.16.42.224) going to 172.16.42.1 (tetra), 172.16.42.42 (my laptop as gateway) and to 8.8.8.8 (google). All can be captured to file for reviewing later on wireshark.

Another option (and my preferance where possible) to run wireshark on the pineapples gateway device at 172.16.42.42 and capture all packets live and filter out what you like.

 

 

  • Upvote 1

Share this post


Link to post
Share on other sites
1 hour ago, Just_a_User said:

Did you try it?

I just had a quick play with tcpdump on my tetra. Using tcpdump capturing br-lan i was seeing pings from a phone on the open wifi of the pineapple. I dont have a second device easily to hand at the moment so cant test between two wifi devices.

But when doing that i do see pings from my test phone (172.16.42.224) going to 172.16.42.1 (tetra), 172.16.42.42 (my laptop as gateway) and to 8.8.8.8 (google). All can be captured to file for reviewing later on wireshark.

Another option (and my preferance where possible) to run wireshark on the pineapples gateway device at 172.16.42.42 and capture all packets live and filter out what you like.

 

 

12

We tried with br-lan now so first we set br-lan to be in promisc mode. Then we run: tcpdump -w output.pcap -i br-lan , and then on WiFi pineapple we are conneted to our WiFi-hotspot. Then I connect to the same hotspot from my phone, then send ping requests from a terminal app on my phone. But we do not see these ICMP requests in the pcap. It seems like there is only packets from the host(the computer where we ssh into the Pineapple and run the tcpdump command)

Share this post


Link to post
Share on other sites
5 minutes ago, Zajt said:

We tried with br-lan now so first we set br-lan to be in promisc mode. Then we run: tcpdump -w output.pcap -i br-lan , and then on WiFi pineapple we are conneted to our WiFi-hotspot. Then I connect to the same hotspot from my phone, then send ping requests from a terminal app on my phone. But we do not see these ICMP requests in the pcap. It seems like there is only packets from the host(the computer where we ssh into the Pineapple and run the tcpdump command)

OK now i think I understand what you are attempting to do. My previous posts were on the basis of the pineapple being the AP, but, if I understand you correct your using the pineapple as a client on the target AP and want to use the pineapple to sniff the target AP traffic?

 

Share this post


Link to post
Share on other sites
Just now, Just_a_User said:

OK now i think I understand what you are attempting to do. My previous posts were on the basis of the pineapple being the AP, but, if I understand you correct your using the pineapple as a client on the target AP and want to use the pineapple to sniff the target AP traffic?

 

Yes exactly!

Share this post


Link to post
Share on other sites
6 minutes ago, Zajt said:

Yes exactly!

I have not tried a pineapple like this myself. I would imagine some ARP magic may be required...

It may be more useful, if you have the AP password, to use wireshark to decryt the captured wireless traffic. https://wiki.wireshark.org/HowToDecrypt802.11  But even then some clients may not be heard by your interface so its not guaranteed to get all traffic on the AP network.

 

Share this post


Link to post
Share on other sites
7 minutes ago, Just_a_User said:

I have not tried a pineapple like this myself. I would imagine some ARP magic may be required...

It may be more useful, if you have the AP password, to use wireshark to decryt the captured wireless traffic. https://wiki.wireshark.org/HowToDecrypt802.11  But even then some clients may not be heard by your interface so its not guaranteed to get all traffic on the AP network.

 

Why could it not be heard? Is it because they are on different WiFi channels?

Share this post


Link to post
Share on other sites
3 hours ago, Zajt said:

Why could it not be heard? Is it because they are on different WiFi channels?

From what i understand (I am often wrong) not all APs are built the same. Some can direct the RF beam in a much more focused way to reach long range clients. Therefore, although you may be sniffing the same channel, you may not be able to see all of the traffic. I think it depends on other clients range, interferance, antenna gains, TX power etc.

e.g. - Say you are 50m away from AP, and another client is also 50m away from AP but is 100m away from you. What you might capture is the AP talking to the other client but not the clients responses.

Edited by Just_a_User

Share this post


Link to post
Share on other sites

Update: We tried the setup where the pineapple is acting "target AP" and running monitor mode on our laptop while generating traffic on a mobile phone, connected to the pineapple AP, and the pineapple being connected to another phone's hotspot. With this setup we could see the ICMP requests and responses both in an open hotspot and WPA2 configuration.

 

However, the problem arises when we let the mobile device be the target AP and set the Pineapple in monitor mode. Then we are not able to see almost any data at all, at least not originating from the mobile device running ping on 8.8.8.8

Share this post


Link to post
Share on other sites
1 hour ago, Zajt said:

However, the problem arises when we let the mobile device be the target AP and set the Pineapple in monitor mode. Then we are not able to see almost any data at all, at least not originating from the mobile device running ping on 8.8.8.8

As per our conversation on discord,  I ran this setup and got ICMP packets.

Phone 1 as Wifi hotspot, OPEN channel 11 @2.4ghz

Phone 2 as client on phone 1's hotspot running pings to 1.1.1.1

TETRA using wlan1 in monitor mode locked to channel 11 running TCP dump with filter to pcap.

tcpdump -i wlan1mon -v 'icmp' -w pingtest.pcap

Once collected, I copy file over to pc running wireshark

ZKjrQND.png

This should also work with WPA2 if decrypting with wireshark by entering the key.

Edited by Just_a_User

Share this post


Link to post
Share on other sites

@Sebkinne@Foxtrot

The above test works for me on my tetra, but the exact same test on a nano does not. The nano is capturing some packets but not ICMP (possibly others, I only tested icmp) this seems repeatable with with @Zajt also.

Can you also repeat it? and is this normal due to hardware differences or should they both be acting the same? after spending some time on this im really interested in whats going on. Any suggestions very welcome.

 

Edited by Just_a_User

Share this post


Link to post
Share on other sites

@Foxtrot it seems i was wrong (no surprise i guess :)), pings do show up but are delayed at first. I see ICMP packets on my nano after about 20-40 pings inconsistantly. Once they start showing up i can stop pings on test device, then when starting pinging again they start showing immediately. Sorry for wasting any time. I will try to get OP sorted cheers.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...