WinPcap and Tablet Generated Packets

[crashtech]

I have an old hub interposed between our DSL modem and our wireless router to which I have connected a PC running WinPcap to capture chat traffic. It works fabulously on all the PCs and laptops, wireless or wired, but captures nothing from any tablet. Is that a limitation of WinPcap, or should I be looking at changing the hardware configuration, or perhaps a router setting?

 

[seepy83]

If you're using a real Hub, and the PC can capture in promiscuous mode, then you should be getting all traffic on the wire between the router and the DSL modem.

 

[crashtech]

That's what I thought, too, but the tablet stuff is not showing up. I didn't think there should be any difference in a packet generated by a PC or a tablet at that point, I'm not capturing wireless traffic, but the data right before it enters the DSL modem. But if there are some subtle differences, it could give me a starting point as to what to look for.

 

[SecurityTheatre]

That's what I thought, too, but the tablet stuff is not showing up. I didn't think there should be any difference in a packet generated by a PC or a tablet at that point, I'm not capturing wireless traffic, but the data right before it enters the DSL modem. But if there are some subtle differences, it could give me a starting point as to what to look for.

There is no difference. Are you sure that you're not using 3G in your tablet, or something like that?

Can you capture a wireless laptop data alright?

You could do further troubleshooting by seeing if you can see the MAC address of the tablet on your ARP table in the wired PC and whether you can ping to/from the tablet to your LAN.

 

[crashtech]

Part of my problem is I am not familiar enough with Android to even go in to one and verify MAC or IP addys. There are many wireless devices on the network, and differentiating between non-PC or laptop devices has been a challenge. Wirelessly connected laptops have been no problem.

I know there is no data plan on the particular device I need to bring into the fold.

Probably time for me to finally get a cheap Android tablet, dig in and see what makes it tick. I'm old school and waay behind on a lot of things.

 

[crashtech]

So none of the target IPs are in the ARP table, but that makes sense to me because the router is doing NAT. I didn't get around to trying to ping things.

 

[SecurityTheatre]

So none of the target IPs are in the ARP table, but that makes sense to me because the router is doing NAT. I didn't get around to trying to ping things.

deleted due to my mis-reading... see next message

 

[SecurityTheatre]

So none of the target IPs are in the ARP table, but that makes sense to me because the router is doing NAT. I didn't get around to trying to ping things.

Edit: Whoops, forgot about your topology.

Your NAT will probably prevent you from pinging as well.

Can you see the tablet in the router's interface for NAT or IP reservations or whatever?

 

[crashtech]

Hmm...

Right now the sniffer PC has an IP given to it by the provider. That may be the problem.

Well, remotely changing the IP and subnet mask to work with the router resulted in the connection being lost... how dumb am I.

 

[crashtech]

So I got over the the machine and looked at it real quick, but couldn't stay. It seems like it might work with a manually assigned IP from the router's subnet, but it won't pick up DNS automatically this way. I'm going to try manually configuring it again later, with proper DNS entries as well.

 

[SecurityTheatre]

So I got over the the machine and looked at it real quick, but couldn't stay. It seems like it might work with a manually assigned IP from the router's subnet, but it won't pick up DNS automatically this way. I'm going to try manually configuring it again later, with proper DNS entries as well.

This won't work, because you need device on the same subnet to be on the same side of Layer3 devices (such as NAT).

You can do sniffing without an IP at all, assuming you're properly using promiscuous mode.

If the hub is working (and is truly a HUB, not a switch) and connectivity to the Internet from the tablet is also working, you SHOULD see the traffic, without exception. The tablet is no different than the laptops if they are on the same network and same subnet.

One of those two things is not working, otherwise.

Of course, on the OUTSIDE of the NAT, you will not see the original address. You will just see the NAT address, and you will have a hard time telling when traffic is coming from one device or another.

I think you should reconsider your topology of this sniffer device, I doubt it's going to do what you want from there...

 

[crashtech]

The topology is what was recommended by the software mfr. When I put the sniffer PC right on the router, nothing gets detected at all!

I am at a loss to explain why the tablet traffic is not detected, but wireless laptop and everything else is.

 

[seepy83]

The topology is what was recommended by the software mfr. When I put the sniffer PC right on the router, nothing gets detected at all!

I am at a loss to explain why the tablet traffic is not detected, but wireless laptop and everything else is.

If you're only using a SOHO wireless router (Router, Wireless AP, and switch in one device), you're going to have a hard time sniffing traffic from all devices. Ideally, you want to sniff before traffic gets NAT'd so that it's easy to identify where specific traffic originated. But you can't insert your Hub/Sniffer into the all-in-one SOHO router.

If you were using separate devices for your LAN connections, you would be able to insert your Hub into your network topology in a better location for the purpose of sniffing traffic. For example:

DSL Modem ------ Router ----- HUB ----- Switch ----- Wireless AP

With that topology, all of the traffic that is leaving your LAN and going out to the internet would pass through the HUB where your PC can sniff it before it gets to the Router.

 

[crashtech]

Very interesting! I might look into that, if it's the only way to get it to work.

 

[seepy83]

Very interesting! I might look into that, if it's the only way to get it to work.

Don't get me wrong...any traffic from your tablet that's going out to the internet through your router should still be showing up in your packet captures with the way you have it set up now (with the Hub and Sniffing PC between the router and the modem). It's just that it's not necessarily easy to distinguish traffic from one device on the LAN from another device on the LAN because it's all NAT'd by your Router. I suspect that traffic from your tablets is in the captures packet captures and you're just not identifying it.

 

[crashtech]

My guess is it's a problem with the app filter looking for some identifier that is present in the data sent by the PC version of Yahoo IM, but is just not there in the tablet version.

 

[SecurityTheatre]

My guess is it's a problem with the app filter looking for some identifier that is present in the data sent by the PC version of Yahoo IM, but is just not there in the tablet version.

I assumed you were using Wireshark.

There are no filters enabled by default in Wireshark. If you have capture software that is so opaque that you can't tell what filters are turned on, you should switch.

 

[crashtech]

I might just have to learn. Time doesn't permit me much.

Also, I looked again at the recommended map, and I have it wrong. I may need to get a dedicated wireless access point and router, not that it will help this problem exactly, but it will make things easier. Also then my sniffer will be behind the router, which is probably best.

 

[crashtech]

Haven't found info on the kind of filter I would need. The IM software is not restricted to a single port... Would have to know some other defining characteristic. I can see this is going to take some work.

 

[crashtech]

Should I start a new thread to help me decide what wireless access point and wired router to buy? I'd love to be able to find used, or cheap. The access point should be 802.11b/g/n, but I don't suppose the router needs to be better than 10/100. I have unmanaged gigabit switches for the rest of the wired part.

 

[seepy83]

You can probably continue to use your existing wireless router as your router. Just connect your Hub to one of the LAN ports on the router, and connect your switch to the Hub, and a new WAP or Wireless Router (with DHCP turned off, so that it functions like a WAP and Switch) to the switch.

 

[crashtech]

Why didn't I think of that? I should also shut off wireless on my existing wireless router, of course.

I'm looking at the TP-LINK TL-WA701ND, which seems like it should do the job?

Thanks for the help. I guess all I need now is to find out how to filter my packets. I have a feeling that will be the tough part.

 

[crashtech]

Okay, I've got the topology figured out now. Got the above linked WAP, and have it on the switch with the other wired PCs. Switch to hub, hub to DSL modem. The sniffer PC on the hub now sees all the IPs on the subnet, including the tablet. I am filtering Wireshark traffic by the MAC address of the tablet, because the other piece of software is handling all the other things. It's capturing a lot of packets from that little device, but it looks like the IMs on the mobile version of Yahoo IM are encrypted? So basically, I'm hosed... I think.

If anyone has any further ideas, I'd love to hear them. Thanks to all who straighted me out on the topology issue. I have a better handle on it now. One of these days I will get beyond moron noob status in networkology...