Wireshark-users: Re: [Wireshark-users] Wireshark not capturing packets from iphone on the same wi

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 13 Jun 2015 14:23:16 -0700
On Jun 13, 2015, at 2:02 PM, "Micheal Blue" <mblue@xxxxxx> wrote:

> I want to use wireshark to see traffic coming off of my iphone to see which urls it connects to while idle. I am using the official distro provided packages for wireshark-qt on my laptop and my user is in the 'wireshark' group.  I can only see entries from the iphone if I use it to ping my laptop. However, I do not see any traffic from the iphone when I browse the web from it, check email from it, send txt messages, etc.  It seems that I am only able to capture traffic if the iphone directly interacts with the laptop. Why?
> 
> * The wireless router is an Asus RT-N16U running Tomato-USB.
> * Both the iphone and laptop are connected to the same SSID (2.4 GHz AP running pure N-only mode).
> * My laptop's NIC enters promiscuous mode via output of dmesg when wireshark is started.

I'm guessing from "distro" and "dmesg" that this is Linux.

If so, have you followed the instructions to put the NIC into *monitor* mode on Linux?

	https://wiki.wireshark.org/CaptureSetup/WLAN#Linux

Promiscuous mode doesn't suffice on Wi-Fi.

Note, however, that, if you capture in monitor mode on a protected network (using WEP or WPA/WPA2), the traffic will be encrypted, and you will need to give Wireshark enough information in order to decrypt it:

	https://wiki.wireshark.org/HowToDecrypt802.11

(yes, 802.11 was *intentionally designed* to be hard to sniff!).  That also means that:

> * I have tried capturing without a filter present (all traffic) and also specifically targeting the iphone address with this filter, "host 192.168.1.203" which is the ip address of the iphone.

...in monitor mode, the capture filter will not be able to do anything with the encrypted payload, so filters such as "host 192.168.1.203" won't work.