Results 1 to 7 of 7

Thread: Kismet / Wireshark only seeing BROADCAST data

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    16

    Default Kismet / Wireshark only seeing BROADCAST data

    I'm using BT4 with a Realtek 8187 chipset USB wireless dongle.

    Using Kismet in channel (H)opping mode, it sees plenty of APs on several channels.

    I then find MY home router on the list and (L)ock Kismet onto that channel. Then I fire up Wireshark.

    I see enough packets to convince me that Monitor mode is working successfully. Lots of BROADCAST packets with the SSID, some ARP traffic (Who Has x.x.x.x? Tell x.x.x.x), etc.

    The problem is - I'm not seeing ANY HTTP traffic! I know it exists on the network. To be sure, I even turned on the Wifi mode of my Touch Pro "smart" phone, verified that I was indeed connected to MY router (and therefore on the correct channel), and surfed a bunch of websites. Not a single HTTP packet, DNS packet, anything showed up in Wireshark. Just lots of "Broadcast" packets.

    BTW The phone was right next to the monitoring computer (less than 2 feet), and the router was over 20 feet away, so range / signal strength shouldn't have been an issue.

    I closed Kismet and Wireshark kept capturing (wlan0) on the same channel. In console I typed in "iwconfig wlan0" and it showed that the interface was on the channel. I typed "iwconfig -i wlan0 channel 6 mode monitor" (or whatever exact command would accomplish that - I'm new and always look directly at the help for the verbiage but don't always remember it exactly) and got no error messages.

    I must be missing a setting on the network card? The reason I'm thinking this is that this reminds me of Packet Radio from my Ham Radio days. (Packet radio = wireless modems back before the internet).

    My packet radio wireless modem could be set to "monitor" mode with decreasing levels of verbosity. For example, on a scale of 1 to 6, it might be:

    1. All traffic
    3. Traffic broadcast by a BBS
    6. Only traffic which is intended for you

    each level showing less and less data. Make sense? It's as if my card is "set" to only receive certain types of data?

    By the way - NO capture filters in Wireshark. No display filters either. I can post a quick packet dump file if necessary, the output to any commands, etc. I'm willing to do my part to find the answer.

  2. #2
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default

    try using an ARPspoofer/poisoner (google it)

  3. #3
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    16

    Default

    I must have had 2 instances of Kismet running or something. I didn't see it in ps, and didn't scour through all of ps -augx.

    But anyhow. Working fine as intended now after a reboot.

    Writing this from within BT4 now, which means my next post will be in the "Working Hardware section!"

  4. #4
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default

    There's no need for monitor mode.
    Just put the interface into managed mode

    Code:
    iwconfig wlan0 mode managed
    then connect to your network
    now you have 2 options:
    > arpspoof
    > ettercap

    arpspoof may be easier to use, since it's only meant for arp poisoning (ettercap has other functions, Google it if u want)

    Code:
    root@bt:~# arpspoof
    Version: 2.4
    Usage: arpspoof [-i interface] [-t target] host
    example:

    Code:
    root@bt:~# arpspoof -i wlan0 -t 192.168.1.23  192.168.1.1
    in the target you type the ip of the victim(the PC you want to sniff data from), and in the host you write the ip of your gateway. that will tell the victim that you are the gateway, so all the data will be redirected to you.

    Now open a new shell, arpspoof again but now change the ip's like these:

    target -> gateway
    host -> victim

    so that the gateway thinks we are the "victim"

    Don't worry about the victim connectivity, arpspoof will redirect all the data it receives to the right ip address.

    Now you can open wireshark and see all that data flowing like water

    Hope it helps
    And sorry for my english...

  5. #5
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    16

    Default

    No problem. Your english is very good! :-)

    I will try all of that next time I'm logged in.

    THANK YOU!

  6. #6
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    16

    Default

    What you described is basic APR, which I appreciate. And I'm curious to see if arpspoof works better than other programs I've tried in the past.

    However, Monitor mode is important to me. Maybe it's my radio background using scanners. But it also doesn't involve you associating with the router. You know, "The quieter you become, the more you are able to hear." I'm sure you've heard that before. :-)

  7. #7
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default

    lol!

    yeah, you're right. About monitor mode, I've seen a tutorial on how to do it. I know that to do this you have to use airodump-ng to capture packets and airdecap-ng to decrypt data, using the WEP/WPA key, I think...

    ok, I found the link: hxxp://forums.remote-exploit.org/newbie-area/7393-packet-sniffing-my-network.html

    Hope it helps

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •