just started with wireshark and tcpdump,
they both work fine if I capture traffic on my IP but doesn`t capture anything on other sources (other IP on my network)
my setup : 1 pc running windows 8(ip 192.168.0.2), 1 laptop running ubuntu(192.168.0.3).
Both connected to a cheap unmanaged 5 port switch , that is connected to my router.
Both wired, even tried with the laptop on wireless mode.
if I run tcpdump on my laptop with filters: host 192.168.0.2(computer IP add) it does not capture anything!
Same if I run wireshark on my computer but use filters such as dest 192.168.0.3 (laptops IP)
Tried tcpdump with net 192.168.0.0/24 (should be capturing traffic from my whole network)... same result , captures only traffic that is destined to my IP (laptop from witch I am runing the command)
Tried setting to Promiscuous ON , on both the laptop and pc , same result.
Any ideea why I am not being able to capture anything from other IP addresses?
"Both connected to a cheap unmanaged 5 port switch"
As you've already discovered, your current capture setup won't work. From the Wireshark CaptureSetup/Ethernet wiki page:
In addition, if you are on a switched Ethernet, rather than a shared
Ethernet, you will also have to take action to ensure that all traffic
in which you're interested is sent to the Ethernet adapter on the
machine running the packet capture program; that is not, by default,
the case on switched networks, so attempts to capture on a switched
network will, by default, see only traffic that the capturing machine
would see when not in promiscuous mode.
Refer to that same page for a number of solutions, including using a TAP, a managed switch, or even a hub (if you can even find one and have no other choice), just to name a few.
In addition to the Wireshark wiki page, I'd also highly recommend reading the very talented Jasper Bongertz's 6-part Network Capture Playbook series:
The Network Capture Playbook Part 1 – Ethernet Basics
The Network Capture Playbook Part 2 – Speed, Duplex and Drops
The Network Capture Playbook Part 3 – Network cards
The Network Capture Playbook Part 4 – SPAN Port In-Depth
The Network Capture Playbook Part 5 – Network TAP Basics
The Network Capture Playbook Part 6 – Planning Network Troubleshooting
Related
I am a complete novice to this... I have a webcam behind my router, and it's configured to be accessible on a particular port (e.g. 30000) using a port forwarding configuration. It has a fixed IP in my network.
Using wireshark, I can see the camera responding to requests coming from within my network (i.e. another client), and this does not use port forwarding.
However, when I access the camera from outside my network (i.e. using external IP plus port), wireshark does not show anything (but I see the camera streaming on the client).
I use wireshark on ubuntu, eth0, and ip.addr == 192.168.x.y as filter
When the camera was streaming data to the internal client, were you also capturing packets with Wireshark on that same client? I'm guessing that you were, which is why you saw the data.
When the camera streams to a client on an external network, the stream flows through the router, but your client is likely plugged into another switch port on the back of your router, and the router doesn't forward the packets to that port, which is why you don't see them.
In order to observe the packets, you would need to configure your capture PC such that it can capture the packets. There are a few different methods to achieve this, for example, using a hub, a SPAN/mirror port on a managed switch if you have one, or a TAP. I would recommend reading the detailed information available on the Wireshark Ethernet capture setup wiki page, which describes several different methods for successfully capturing Ethernet frames and provides helpful pictures as well. Choose a capture scenario that best meets your needs (and $$ budget).
I'm new to DPDK. I'm trying to learn about KNI. I compiled and fired up the KNI example provided with the library.
I used the ifconfig commands to bring up the vEth interfaces that spin up corresponding to each port and assign ipaddress and netmasks to them.
I tried to ping and hping (tcp ping) other machines on the same network. Through tcpdump, I can see that the KNI interfaces send out the right frames but don't seem to be receiving anything.
I don't see any errors in dmesg or the console running the KNI test script.
I proceeded to try and debug by printing out mbufs entries. The KNI Rx doesn't seem find anything in the ring buffer corresponding to the Eth port which is supposed to receive the data/frames. However, the ifconfig messages do show up on the buffers and are accordingly acted upon by the kernel.
It would be very helpful if someone can advise me on how to move forward with this and get this to work as it is supposed to. I have been spinning my wheels on this for a while. I have tried this on both VMs and physical machine with multiple network interfaces.
Thanks
Use e1000 emulated nic for VM. It will work as expected.
I am able to capture only the packets routed through my NIC, but I want to sniff all the packets from other PC(s) connected to the same local wireless network. I am using Wireshark, but it cannot sniff the packets from the remote IP(s) connected to the same local network (created by a wireless router).
You haven't provided much detail about your capture setup - in particular what OS your capture PC is running or what hardware you have. The best advice I can give you to start with is to visit the Wireshark WLAN (IEEE 802.11) capture setup wiki page and carefully read its contents, particularly those sections that best relate to your system. At the very least, you will need to be able to place your wireless NIC into monitor mode, and the method by which you do that is OS dependent, so do visit that wiki page for more details.
If you happen to be running Windows and you are unable to place your NIC into monitor mode using Wireshark or you don't have an adaptor (such as an Airpcap adaptor) capable of capturing the traffic, or npcap doesn't work for you, then you might want to try other tools besides Wireshark, such as Microsoft's Network Monitor or their newer Message Analyzer capture tools.
Lastly, if nothing else works, then you might want to visit the Wireshark Tools wiki page to try to find other potential tools that might work for you in your particular capture environment.
You can use the Cain and Abel sniffing tool. It is very easy one. You can sniff packets by Cain and Abel and log them using WireShark.
You can download it from https://web.archive.org/web/20190603235413/http://www.oxid.it/cain.html
Lately I have been trying to analyze wifi traffic over my own test router.
I looked on the wireshark website on how to do this and setup my own testing network.
my network:
-dd-wrt router with WPA2 personal mixed security using tkip+aes.
-kali linux capture machine with wireshark 1.8.5
-android phone for producing traffic
I then put the wireless interface of my kali laptop into monitor mode user airmon-ng
airmon-ng start wlan0
To check if the created monitor interface(mon0) worked I would use airodump-ng.
When I knew that my monitor interface was working, I started up Wireshark.
I selected mon0 as capture interface and pressed options. In Capture options I put the mac adress of my router, which I got through airodump-ng, in the capture filter area.
I then would take care of the packet decryption that would be needed for me to see the actual data. I went to the following webpage:
http://wiki.wireshark.org/HowToDecrypt802.11
I followed the instructions there.(Only the way I need to put in the decryption keys is different than the key#1 system that is described on the page. I get a new window in which I need to select a security method wep,wpa-pwd or wpa-psk and input the key).
I used the wireshark wpa psk generator tool to get the right pre-shared key.
http://www.wireshark.org/tools/wpa-psk.html
Essid: "testnet"
Password: "wachtwoord"
psk: 33fe484e651381b15859e539279f2991c0f5e5e751ef17f82104d4ad528718ca
I put in 2 new keys. One being wpa-pwd with wachtwoord as its value. The second being wpa-psk with the psk mentioned above as its value.
I applied all the settings, and checked the enable decryption checkbox.
So I clicked the start capture button and saw a whole bunch of beacon frames rolling in.
I associated my android phone with the AP so I knew I capture the eapol packets(I checked this using the filter and I had all 4 packets).
After filtering with "data", I saw that I didn't capture any data packets.
I then expected to see the actual traffic, but this was not the case.
airdecap-ng did not see any WPA packets in the capture file.
My only theory left after hours of puzzeling is lack of driver support.
Please tell me what I am doing wrong?
Thank you!
tl;dr:
My computer does not capture 802.11 wpa2 data packets, and I can't figure out why.
Have you checked if you can capture Wifi frames in OPEN/NONE security? If it doesn't work with OPEN/NONE, then you need to fix the setup before being able to capture WPA2/AES traffic.
Steps I used to check Wifi capture setup:
- Configure AP as OPEN/NONE (open authentication, no encryption).
- Add monitor interface:
$ sudo iw phy phy0 interface add moni0 type monitor
$ sudo ifconfig moni0 up
Set channel of properly (same between the AP and the laptop). Avoid popular ch1,6,11 (use channel 7, for example) to reduce the amount of captured traffic.
Some wireless cards do not support monitor mode very well, so it may also be worth to avoid 802.11n, use 802.11b/g only.
in my college lab all the PCs are connected via LAN by L2 switch. i want to capture the http data packets by wireshark but it is only showing the interface of my own PC. so how can i capture the packets of other PCs.
can somebody tell me working of wireshark?
It is in the nature of switches that you will only see either broadcast packets or traffic that has your MAC address as a destination, that is one of the crucial differences between a switch and a hub.
It is possible for most switches to be configured to copy traffic from one port to another, this is commonly done for monitoring purposes, but that has to be done via administrative access to the device.
You can manipulate the switch's behavior by means of ARP-Spoofing. But be cautious! Doing so might be seen as a criminal act.
So be sure that you're allowed to do so in the lab, sometimes that's OK if it serves the educational purpose. Ask your supervisor or the school's administrator.
My weapon of choice for such things is Ettercap.
A far less intrusive approach would be to use one of your own switches and configure it to forward all traffic. Then you can connect one port as an uplink to the lab's switch, one port to the device under test and one port to your machine running wireshark. (I would recommend using tcpdump for capturing, though.) If you don't have a manageable switch at hand, you can also use a router running OpenWRT.