Ok, so I want to do some tests on my network. I have a wireless network, with a WPA2 password. I have the password, it's my own router. I have 3 laptops in here, and I want to capture all the traffic from the router with Wireshark.
I've first set my wireless network in monitor mode (I am using Manjaro linux, and I've set it into monitor mode with airmon-ng), and I've tried to see the traffic. I've started wireshark with mon0, and there were only encrypted wireless 802.11 packets. If I set it for my real wireless card, I get traffic but only from my IP address.
How can I monitor all the traffic on the network (decrypted, and from all IPs) if I have the password, and I can even get a 4 Way handshake if it's needed.
I've tried from wireshark with:
Edit -> Preferences -> Protocols -> IEEE 802.11 -> New -> wpa-psk and in the Key box: "AP:password" but I get an Invalid key format error.
Any ideas ?
So the idea is to get all the traffic on a secured WPA2 access point, if you know everything and you even have access to the router.
The problem seems to be that you are attempting to add a password when you have opted to enter a Pre-Shared Key(PSK). If you want to provide a password for decryption you need to enter it by selecting:
Edit -> Preferences -> Protocols -> IEEE 802.11 -> New -> wpa-pwd
Also you'll need to tick the 'Enable decryption' box, plus you may need to play with the 'Assume packets have FCS' setting and clicking on Apply till you hopefully see the decrypted packets.
If want to capture packets from machines other than the one you're capturing on you may also need to play with the promiscuous mode setting - trying both on and off in monitor mode.
Try Promiscuous mode.
Refer http://wiki.wireshark.org/CaptureSetup/WLAN more details.
You may also want to look at Wildpacket's "Omnipeek" tool (it's a licensed product!)
Related
In the promiscuous mode, using tcpdump (Wireshark helps to view the packet in Hex format), I can view different packets (not complete meaningful data) requested and obtained my different devices connected to the WiFi router.
But How can I reassemble all packets for a particular device IP in order to get the meaningful data those are requested and obtained by that device?
Are there any existing solutions available?
As David Hoelzer suggests, you will first need to ensure that TCP reassembly is enabled. Most likely it already is, but you can verify this via "Edit -> Preferences -> Protocols -> TCP -> Allow subdissector to reassemble TCP streams". In case there's IP fragmentation occurring, you should also verify that IP reassembly is enabled as well: "Edit -> Preferences -> Protocols -> IPv4|IPv6 -> Reassemble fragmented IPv4|IPv6 datagrams".
But this isn't the whole story, as this won't extract complete files (objects) for you. Wireshark does support the extraction of objects for some protocols though, specifically DICOM, HTTP, IMF, SMB and TFTP, via the "File -> Export Objects" feature. So, if your file is being transported over one of these protocols then you're in luck and stand a chance at extracting it using Wireshark; otherwise you'll have to find another tool besides Wireshark that's capable of extracting the object from the packets.
See https://www.wireshark.org/docs/wsug_html_chunked/ChIOExportSection.html#ChIOExportObjectsDialog for more details about exporting objects.
See https://wiki.wireshark.org/Tools for other possible tools that may be of interest to you in the event that Wireshark fails to meet your needs.
I have an RN-171 wifly module connected with a micro-controller.
I am using the UDP-protocol to communicate with the module. Also, I am using the firmware's UDP auto-pair feature to set the host ip. As soon as the module receives a UDP packet, it sets the host IP address to the ip from where it received the data. Now, this host ip cannot be changed without entering into the command mode.
I want the module to behave in the following way:
Every time it receives a UDP packet, it updates the host ip to the ip address from where that signal came from.
Also, I can use the TCP protocol but it only allows a single connection at a time. One more problem that I faced using the TCP protocol was that if I try to initiate a second TCP connection with the module, it not only refuses the second connection but also hangs the first stable connection. Even if the second connection initiation does not hang the module and it just gets refused, I will be ready to work with TCP.
I have been researching a lot on the web regarding this problem but since these modules are not widely used, they have a very limited support.
I've used RN-171 extensively and have many resolved tickets in their support system.
According to the WiFly Command Reference, Advanced Features and Applications User’s Guide, you cannot open more than one TCP port with the module. (the default number being 2000)
Unfortunately, regarding the UDP functionality, there's not much you can do. If you have a new host wishing to communicate over UDP, connect to the module over TCP, go into command mode and set the address using "$$$", "set ip host 0.0.0.0", "save", "exit" commands. Alternatively, instead of 0.0.0.0, you can enter the new host's own ip address: "$$$", "set ip host ###.###.###.###", "exit". Replace "###.###.###.###" with the ip address of the device.
This way, you won't get wrong host ip in case more than one device communicates over UDP at the same time. Also, by not using "save", the auto-pairing will still be saved to EEPROM memory. Also, you can send "ip flags 0x##" before "exit", this way you can also set bit[6] to 0 (UDP auto pairing disabled) temporarily by using the hex value that has this bit set to zero.
One of my problems that Microchip technical support tested around the summer of 2013 is that you cannot use RN-171 as an access point for other RN-171s since they have a firmware error preventing one from doing that and, as of firmware v4.41, released in January of 2014, there is no fix yet nor planned.
I myself do not recommend the latest firmware version v4.41, since it does not appear to work with most routers; however Soft AP mode on this works fine. On the other hand, v4.00.1 is much more compatible, however you should take care when cutting off the power since it has a potentially disastrous bricking problem if you cut the power when flash writing is in progress - the module may lock its memory forever.
I recommend registering and opening a Microchip ticket which usually will be answered within two business days and they're quite supportive. Their firmware update cycle is however quite long, and it usually takes a year or so for a new update.
We have about 30 clients connected to a single cable-modem/router (Fritzbox 6360). Some clients also connect to a TP-Link W-LAN Router which is also connected to the cable modem.
Sometimes the internet is very slow and we can see an continous upstream (6 MBit/s). Unfortunately we can not see which clients cause that traffic. The Fritz Box provides a functionality to capture network traffic and then analyze it with Wireshark.
Following interfaces can be captured by the cable modem:
Internet connection
Interface 0 ('internet')
Routing interface
Network interfaces
tunl0
cni0
lbr0
wan0
eth0
lan
erouter0
esafe0
And there is an option to launch DTrace (default parameters are)
-D -s -m -i256 -dect -dlc -c1 -c2 -c3 -c4 -c5 -nt3 -d2 -d3
We already captured different interfaces and tried to understand the data with Wireshark but without much success. What would be right way to see which Client is uploading Data at the moment?
In Wireshark, to get a list of IP addresses and what percentage of the trace each of the IP Addresses are taking up, go to Statistics->IP Addresses.. and click "Create Stat" in the box that pops up while leaving the the "Filter" option blank. You should be able to figure out which of your client ip is hogging up the most bandwidth with this.
For a visual comparison, click "Statistics->IO Graph", and in the second filter next to Graph 2, type "ip.src == x.x.x.x" (where x.x.x.x is the ip address of the uploader you suspect is taking up the most bandwidth) and click "Graph 2". This will give you a packets vs time graph. You can also filter out other ip addresses as well to display simultaneously in the same graph for comparison.
Edit: I would also suggest keeping an eye out for IPv6 addresses.
If I want to detect the number of connections active on my home Wifi network, how should I go ahead doing it? This can be useful for building applications which would serve as monitoring unidentified/unrecognized people being fraudulently misusing a person's Wifi network.
How to know whether your neighbors or others are using your wireless network is rather complicated.
If your neighbors are experienced Wi-Fi hackers, you might not be able to tell at all.
If they're just stealing your Internet connection, you may be able to tell from the logs on your router.
To find out who's on your wireless network, you'll need to start by taking inventory of all the devices that are meant to be connected. Find out their MAC IDs and their IP addresses (if they're static).
To find out the MAC ID/IP address on a PC, click the Start menu and choose Run. Type cmd and click OK. In the screen that opens, type ipconfig /all and hit Enter. The MAC address will be shown as the physical address. Once you know the MAC addresses of each of the PCs on your network, you will recognize any addresses that don’t belong under the screen that shows the MAC addresses of current connections.
Check IP addresses
Likewise you may be able to see how many IP addresses have been dished out by the DHCP server. If you check the IP addresses of each of your PCs, you can see if other IP addresses have been served.
To find out your IP address from the Start menu, click Run. Then type in cmd and click OK. In the screen that comes up, type ipconfig which will display the IP address for that computer. (Bear in mind, however, that if the PC is set to auto detect settings, then the PC's IP address will change the next time the computer is rebooted or switched on. Sometimes previously served numbers have not yet expired, so you may think someone is connected when they are not.)
Dealing with intruders
If you do find someone using your connection, they may well not be doing so maliciously or even knowingly. Sometimes people can’t tell which is their own connection and they may honestly believe that they are using their Wi-Fi router rather than yours. The best way to deal with this is to set up your own security and maybe you can help them find their own router!
The optimal solution is to set up a strong password using WPA or WPA 2 of almost 20 to 30 digits and numbers. Once your network is functioning, you can switch off the SSID broadcast (which prevents it from advertising the name of your network) so it would effectively disappear as far as your neighbors are concerned, and the first you might hear of it is when someone complains that their Web connection has disappeared.
You could look for logs such as current LAN clients, connection or status log, or connected MAC addresses.
Be Happy :-)
Do you have access to the Access Point management ?
Look for MAC addresses and their filtering. Modern APs allow you to filter devices and or limit the timeframe during which devices can authenticate themselves, using a hardware button.
A link on how to secure your AP here, and a good start to know what to play with !
You can Either USE this Command... On your Router or Modem... Some Modem's have console for Ping and Commands like that....
ipconfig -all
How can I connect a system to a network and sniff for virus/spyware related traffic? I'd like to plug in a network cable, fire up an appropriate tool sand have it scan the data for any signs of problems. I don't expect this to find everything, and this is not to prevent initial infection but to help determine if there is anything trying to actively infect other system/causing network problems.
Running a regular network sniffer and manually looking through the results is no good unless the traffic is really obvious,but I havn't been able to find any tool to scan a network data stream automatically.
I highly recommend running Snort on a machine somewhere near the core of your network, and span (mirror) one (or more) ports from somewhere along your core network path to the machine in question.
Snort has the ability to scan network traffic it sees, and automatically notify you via various methods if it sees something suspicious. This could even be taken further, if desired, to automatically disconnect devices, et cetera, if it finds something.
Use snort: An open source network intrusion prevention and detection system.
Wireshark, formerly ethereal is a great tool, but will not notify you or scan for viruses. Wireshark is a free packet sniffer and protocol analyzer.
Use the netstat -b command to see which processes have which ports open.
Use CPorts to see a list of ports and the associated programs, and have the ability to close those ports.
Download a free anti-virus program such as free AVG.
Setup your firewall more tightly.
Setup a gateway computer to let all network traffic go through. Take the above recommendataions to the gateway computer instead. You will be checking your whole network instead of just your one computer.
You can make Snort scan traffic for viruses. I think this will be the best solution for you.
For watching local network traffic your best bet (with a decent switch) is to set your switch to route all packets out a specific interface (as well as whatever interface it would normally send). This lets you monitor the entire network by dumping traffic down a specific port.
On a 100 megabit network, however, you'll want a gigabit port on your switch to plug it into, or to filter on protocol (e.g. trim out HTTP, FTP, printing, traffic from the fileserver, etc.), or your switch's buffers are going to fill up pretty much instantly and it'll start dropping whatever packets it needs to (and your network performance will die).
The problem with that approach is that most networks today are on switches, not hubs. So, if you plug a machine with a packet sniffer into the switch, it will only be able to see traffic to and from the sniffing machine; and network broadcasts.
As a followup to Ferruccio's comment you will need to find some method of getting around your switches.
A number of network switches have the option of setting up port mirrors, so that all traffic (regardless of the destination) will be copied, or "mirrored", to a nominated port. If you could configure your switch to do this then you would be able to attach your network sniffer here.
Network Magic, if you don't mind something that's not open source.
You can use an IDS, hardware or software
http://en.wikipedia.org/wiki/Intrusion-detection_system