• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

wireless packet sniffing

P

Pantlegz

Diamond Member
Is there a way to be connected to a network but not actually use it? I need to make sure my wireless users aren't using any sort of torrent or P2P program.

I have spare wireless cards but I prefer my wired connection, so is it possible to set up the wireless connection and just use it to sniff packets but not for LAN transfers or internet? I'm working on getting PfSense up and running so it would be a temporary setup a week or so max.
 
No trouble at all. You select what interface you want to use for capture. It will be somewhat useless though if the wireless uses encryption.
 
right, but how do I make sure none of my traffic goes out that interface? Oh and any suggestions on how to kill P2P without watching the packet sniffer and just blocking individual ports? I don't want to lock it down too much but torrents kill the little router and everyone's connection 🙁. It's also a netgear router without the option for tomato or DD-WRT so no ACL's.
 
Just don't put any protocols on it. Windows will use the wired before the wireless anyway, you can check with "route print" command. Lower metric means it's used first before others for the same destination.

You'll need some sort of application layer firewall to block P2P. Some routers have this ability if they can look at layer7.
 
so basically, I've got to have a proxy? it's a cheap router >100 it wont even let me blacklist all MAC's :/
 
So, wireshark is working ok, but I'm only able to see convorsations on Ethernet but not wireless. Is there a way to simplify it so I'm only looking at packets for wireless but entire convorsations, it would make my life a million times easier.

edit: actually it looks like wireshark is only picking up broadcasts not all traffic anymore. what gives? it worked earlier...
 
If your wireless AP is separate from the switch that serves the rest of your network you can place a hub in between the two and sniff the packets off of the hub.

edit: As far as your wireshark problems. Make sure you select your Wireless Network Interface in the Options dialog. It's going to pick one as a default and it's not guaranteed to be your wireless card.
 
the issue with that is, since the wireless isn't a route because the metric is higher it's not showing up in the list of interfaces (I think, it's not on the list anyway). but I am able to pull some of the wireless data(only broadcasts from the devices), and was able to pull it all earlier 🙁. And I got nothing from the wireless before I had the wireless card installed and on the network.
 
Check out CommView, from Tamosoft.

It's relatively cheap (hundreds versus thousands), as wireless sniffers go, and it's very good, especially for the money.

I've used it for years and I like it a a lot. It can decode encrypted traffic (you still have to provide a key) and is pretty easy to configure and use.


 
Originally posted by: ScottMac
Check out CommView, from Tamosoft.

It's relatively cheap (hundreds versus thousands), as wireless sniffers go, and it's very good, especially for the money.

I've used it for years and I like it a a lot. It can decode encrypted traffic (you still have to provide a key) and is pretty easy to configure and use.
Click to expand...

eh?

How in the world could it decode WPA/AES?
 
You enter the code/key/PSK and it will decode the traffic associated with that SSID. Nothing hackish about it, the first few generations of wireless sniffers would capture the packets and sort 'em out by type, but they couldn't decode the contents. All of the commercial ones now can, I don't remember if WireShark w/ Aircap can or not.

The other issue with WPA & AES is that if you don't catch the client as they associate, then you can't decode their traffic (because you don't have the initial key, so you don't see the key changes .. but once the key id given to the sniffer (CommView in this case), then any clients that come up can be decoded.
 
Originally posted by: Pantlegz1
the issue with that is, since the wireless isn't a route because the metric is higher it's not showing up in the list of interfaces (I think, it's not on the list anyway). but I am able to pull some of the wireless data(only broadcasts from the devices), and was able to pull it all earlier 🙁. And I got nothing from the wireless before I had the wireless card installed and on the network.
Click to expand...

The route will have nothing to do with wireshark's ability to use the interface. I've used wireshark (and other sniffers) on unconfigured interfaces plenty fo times (of course, this is usually on an easier platform).

Check out wireshark's documentation on 802.11 sniffing. Here is the windows section.
 
Originally posted by: ScottMac
You enter the code/key/PSK and it will decode the traffic associated with that SSID. Nothing hackish about it, the first few generations of wireless sniffers would capture the packets and sort 'em out by type, but they couldn't decode the contents. All of the commercial ones now can, I don't remember if WireShark w/ Aircap can or not.

The other issue with WPA & AES is that if you don't catch the client as they associate, then you can't decode their traffic (because you don't have the initial key, so you don't see the key changes .. but once the key id given to the sniffer (CommView in this case), then any clients that come up can be decoded.
Click to expand...

Thanks for that info. You answered questions I haven't asked and haven't had time to investigate. Lovely accident. 🙂
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top