Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Wireshark --- Promiscuous Mode --- WPA

  1. #1
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default Wireshark --- Promiscuous Mode --- WPA

    I'm currently working on the development of an embedded systems device that communicates with the LAN over wifi (it has a simple wifi module on the board that can connect to a WEP or WPA network).

    I've been using Wireshark on my workstation PC to monitor the traffic going back and forth between hosts on the LAN (in promiscuous mode of course) so I can see all Ethernet frames.

    Now I've reached a development stage of moving on to testing on a WPA network. I've opened up Wireshark and set it to promiscuous mode... but I can't see other people's frames! I can only see broadcast frames and unicast frames directed to my own MAC address, that's all.

    I've been searching the internet on how to get Wireshark to sniff WPA traffic in promiscuous mode, and I even went into Preference->IEEE 802.11 and entered my SSID and WPA key, but still nothing.

    I've tried changing the access point's encryption from WPA2-PSK to WPA1 with TKIP but still nothing, I can't see other people's frames.

    Does anyone know a solution to this? If I need to pay money for a product then I will. I'd prefer a piece of software rather than hardware, but if I need hardware to do it then that's OK. I'd prefer if I could still use Wireshark instead of having to use another program.

    Anyone?
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  2. #2
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default Re: Wireshark --- Promiscuous Mode --- WPA

    Even if what I'm trying to achieve isn't possible, could someone please let me know?
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  3. #3
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    4

    Default Re: Wireshark --- Promiscuous Mode --- WPA


  4. #4
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default Re: Wireshark --- Promiscuous Mode --- WPA

    Really.... ? Anyone..... ?
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  5. #5
    Member
    Join Date
    Jan 2010
    Posts
    54

    Default Re: Wireshark --- Promiscuous Mode --- WPA

    I found this and it may be help to you

    "In addition, if your network has any form of encryption (WEP, WPA/WPA2), while the adapter might be able to, in promiscuous mode, *capture* all traffic on your local network, it probably won't be able to *decrypt* it (that being the whole point of encrypting wireless traffic), and might well just drop those packets on the floor for that reason.
    "

    it seems maybe because its ebcrypted and cannot be decrypted, then it may be getting dropped. I am not 100% sure but i wanted to try lend a hand because it does not look like anyone else is.

    You may be able to understand it better if you read the source, website source:- http://www.wireshark.org/lists/wires.../msg00023.html

  6. #6
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default Airodump -> Airdecap -> Virtual Network Interface -> Wireshark

    I can't for the life of me get Wireshark to sniff in promiscuous mode on a WPA network (even after going into preferences and inputting my WPA passphrase), but I've found a slight work-around.

    1) I run airodump-ng on the wireless interface and get it to output to a file
    2) I take the output of airodump-ng and supply it as input to airdecap-ng (along with the SSID and passphrase)
    3) I open up Wireshark and open the static file produced by airdecap-ng

    When I do this, I can indeed see all frames on the WPA wifi network. Only problem is that it's not realtime, I'm looking at an old capture.

    Has anyone been working on a way to get this working in realtime so that frames show up right away in Wireshark?

    Seems to me that if I was to go about writing a program to do it, here's what I'd do:

    1) Create some sort of virtual network interface
    2) Take the output of airodump-ng and pipe it into airdecap-ng
    3) Take the output of airdecap-ng and flush it out the virtual network interface I've already created
    4) Open up Wireshark and listen on the virtual network interface

    Such a program would definitely be possible to put together. Has anyone been working on it? ......or should I get coding on it myself? The source code of aircrack-ng and airdecap-ng is available to me so I'd only have to do some tweaking to pipe the output of one into the other, and then write some code to create a virtual network interface and flush the output out through it.

    Any commments?
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  7. #7
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default Re: Airodump -> Airdecap -> Virtual Network Interface -> Wireshark

    Actually there's no need to create any sort of virtual interface, I'll just output the frames on the "lo" loopback interface.

    Right I'm gonna download the source code for airdecap-ng and alter it to read from standard input, then I'm gonna pipe the output from airodump-ng into my altered airdecap-ng, and then I'll add code to airdecap-ng that makes it send frames out on "lo" instead of writing to a file. Then just open Wireshark and listen on "lo".

    I'll let you know how I get on.... this might not take me long at all... maybe just a few hours because I already have my Dynamo code for sending out raw Ethernet frames.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  8. #8
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default Re: Airodump -> Airdecap -> Virtual Network Interface -> Wireshark

    Okey dokey, I've successfully altered the Airdecap code to make it spit frames out on the "lo" interface instead of writing them to a file, and so they're coming up in Wireshark when I listen on "lo". So that's the bulk of the work done.

    Now I just need to combine the code for Airodump with the code for Airdecap into one executable file so that frames are processed on-the-fly without being written to disk -- they'll just be spat out on the "lo" interface. I'll probably have that code finished tomorrow.

    I'm surprised I have to go to this extent..... I mean I thought Wireshark had a facility for sniffing WPA traffic? I can't get that facility to work.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  9. #9
    Member
    Join Date
    Jan 2010
    Posts
    54

    Default Re: Wireshark --- Promiscuous Mode --- WPA

    sounds like your putting in alot of effot here, i carnt wait to see the finished product

  10. #10
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default Re: Wireshark --- Promiscuous Mode --- WPA

    Quote Originally Posted by deviney View Post
    sounds like your putting in alot of effot here, i carnt wait to see the finished product
    You'd be surpried Deviney, it's not that much work at all altering these programs. I opened up the source code file for Airdecap and I just did a search for "fwrite" because I knew that's the C function that would be used to write to the output file. I replaced all calls to "fwrite" with calls to "SendRawEtherFrame" (which is a function in a raw socket networking library that I wrote about 5 years ago for a program called "Internet Prober" which later developed into a program called "Dynamo"). So then to check if it worked, I opened up Wireshark and listened on interface "lo", and lo and behold I could see the decrypted frames.

    Next I'm gonna open the source code file for Airodump, and I'll do a "find and replace" on "fwrite"; I'll then replace these calls to "fwrite" with direct calls to the algorithm in the Airdecap code that processes encrypted frames, and from there the decrypted frames will be spat out on "lo" so that you can pick them up in Wireshark in realtime.

    Then I'll just compile Airodump and Airdecap together into one executable, and probably run it as follows:

    WpaSnifferHelper --channel 4 --bssid 00:01:02:03:04:05 --essid MyAP --key MyPassword wlan0

    so then you just open Wireshark and listen on "lo" and probably put in a filter such as "!(ip) or !(ip.addr == 127.0.0.1)" to get rid of the other crap that goes on that interface.

    It's 9:33am here in Ireland but I'm gonna go back asleep for a few hours, but I'll have this done by today, I already know exactly what needs to be done. It's less than 3 hours of coding definitely.
    Last edited by Virchanza; 06-17-2012 at 03:32 AM.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 10
    Last Post: 01-24-2011, 01:58 AM
  2. Alfa Awus036h - and Wireshark promiscuous problem
    By MoonDoggie in forum Beginners Forum
    Replies: 3
    Last Post: 06-04-2010, 10:32 AM
  3. 4965agn and promiscuous mode in wireshark
    By walkamongus in forum Beginners Forum
    Replies: 0
    Last Post: 05-31-2010, 10:37 PM
  4. Promiscuous Mode??????????
    By imported_vvpalin in forum OLD Newbie Area
    Replies: 25
    Last Post: 05-21-2009, 11:56 PM
  5. Replies: 3
    Last Post: 03-21-2009, 04:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •