Packetbeats all wifi Traffic Analysis

(Tyler Burge) #1

I am trying to get Packetbeats to log all wifi traffic. I see traffic that is broadcast but not traffic from other hosts like my cellphone trying to access an http page. How can I enable packetbeats in promiscious mode so that it logs all traffic? or atleast all http traffic?

(Andrew Kroh) #2

When you run in promiscuous mode on switched network you will see all traffic sent to that host and any broadcast traffic. You won't see traffic from other hosts on the network (unless they are communicating directly to the host on which you are listening).

If you wanted to capture all HTTP traffic between your phone and the internet you would need to have Packetbeat listening to the traffic between the phone and your router. There are a couple of ways.

  1. A network tap. (Expensive.)
  2. Port mirroring. (Requires a router or switch with this capability.)
  3. An old-school hub. (Hard to find)
  4. Build a dual-homed linux box that bridges traffic between NICs and run Packetbeat on that box. (Complicated)

I use number 2 at home. I have a cheap managed Cisco switch and I use a SPAN port to mirror everything to Packetbeat. I used this setup for this blog post.

I used an EdgeRouter X once too (home use). They support port mirroring and they are quite inexpensive.


(Tyler Burge) #3

Wifi is a shared medium and therefore should be a hub. Does Packetbeats enable promiscuous mode on its own?

Thanks for the quick response :slightly_smiling:

(Andrew Kroh) #4

Yes, it does.

(Tyler Burge) #5

Wiered. I wonder why im not seeing wifi traffic from other people on the wifi network.

I also dont see said traffic in wireshark. Wondering if its my setup.

Thanks againf or the help!

(Andrew Kroh) #6

That's not a correct statement. Each wireless client communicates directly to the access point. There is no direct peer-to-peer communication when operating in infrastructure mode.

(Tyler Burge) #7

This statement is also true of hubs.

(Jeremy Ward) #8

Hi there. Wireless Network Engineer here...

You can see all traffic on a given channel, regardless of the SSID and BSS (AP) that a given adapter is associated with. This is very easy on unecrypted WLANs. There are special steps you need to take if you are trying to intercept traffic on a WPA/WPA2 PSK encrypted network. It's quite a bit harder on a network that is using various EAP methods for Auth with "WPA-Enterprise".

Your issue sounds like a problem with getting the 802.11 interface to enter "monitor mode" (not promiscuous mode).

If your adapter is not in monitor mode, you will see so-called pseudo Ethernet frames, that look similar to what you would see when running a capture on a wired Ethernet interface attached to a switch (without a span/mirror port).

When the adapter runs is monitor mode, you will see all of the 802.11 traffic from all devices in range on the channel the adapter is listening on regardless of what BSS they are associated with. This includes 802.11 management frames, beacons, probe requests, probe responses, etc, and data frames.

The ability to enter monitor mode on a given WLAN adapter is both driver and OS dependent.

Most 802.11 adapters running under Linux can be placed in monitor mode. Integrated AirPort adapters running on MacOS X can also be placed in monitor mode.

If you're running Windows, there are only a handful of devices that are capable of monitor mode, and are all specialized devices designed for WLAN analysis (like a Riverbed AirPcap NX).

if you only care about all data traffic on a specific AP and don't need/care about seeing 802.11 management frames, my suggestion would be the following:

  • have the AP send you the traffic stream live or perform the PCAP for you
  • setup a port-mirror or SPAN at the AP's network port in the switch

First option obviously requires an enterprise or carrier-grade AP. Second option, a managed switch. If you have both at your disposal, having the AP take care of the PCAP for you is a better solution than the SPAN/port mirror option especially is your APs are running GRE or CAPWAP (or some other type) tunnels back to their controller.

I hope this helps.

(system) #9