Wireshark – Filter the Wireless Hosted Network (Win7/8/10)

wireshark

I was thinking about capturing iPhone traffic.

I have created a hosted network to which I can connect my iPhone. I'm able to filter the traffic for server IP addresses which are known, such as Google, Facebook etc. (ping <address>)

The problem is that I have to monitor the ethernet connection on my PC, and my PC gets a lot of background ethernet actions. Is it somehow possible to just display the activity from the hosted network?

P.S.: The IP address from which the packages my iPhone sends is the same as my PC's IP address.

Best Answer

According to: https://msdn.microsoft.com/en-us/library/windows/desktop/dd815243%28v=vs.85%29.aspx

Wireless Hosted Networking creates virtual wireless adapters, including a SoftAP adapter.

If that adapter shows up in the list of interfaces Wireshark can capture on, choosing the SoftAP adapter instead of the adapter your computer uses for it's Internet connection should narrow down what packets you see and let you see the iPhone's Wi-Fi IP and MAC addresses, which will both be different from your computer's addresses. If you've been capturing on the hosting computer's Internet-facing interface, you're probably seeing the iPhone's traffic after it gets NATed to the same IP and MAC addresses as your computer.

Once you switch which interface you're capturing on, you can filter by the MAC address of your iPhone:

https://ask.wireshark.org/questions/14368/capture-filter-mac

You can find an iPhone's Wi-Fi MAC address in:
Settings: General: About
under "Wi-Fi Address"

You can also filter on the IP address of the iPhone. If you can't figure that address out with a short capture on the AP interface, you can find it by tapping the blue-circled "i" next to the SSID (network name) of your hosted Wi-Fi in Settings: Wi-Fi.

Related Solutions

Wireshark Filter – OSPF Database Description Link State ID

Display Filter by advertising Router-ID:

This display filter will get you close as I can come up with...

ospf.msg.dbdesc == 1 and ospf contains <adv-router-id-as-hex>

For instance, if your advertising router is 1.1.1.1...

ospf.msg.dbdesc == 1 and ospf contains 01.01.01.01

However, the problem is that contains 01.01.01.01 matches any string contents with 01.01.01.01, so both 01.01.01.01 or 01.01.01.01.ff could match... furthermore, it's possible that some other packet in the DBD also contains a reference to that router-id.

Display Filter by advertising Link-State ID:

This is a little easier, because there is a better chance to find a unique string; as long as you know the type of LSA you're looking for. The OSPF RFC requires the packet to get sent with <lsa-type-4bits>.<link-id-4bytes>, so the display filter is:

ospf.msg.dbdesc == 1 and ospf contains <lsa-type>.<link-id>

For example, the display filter to find a Network Summary LSA (LSA Type 3) with the ID of 10.4.27.0 (hex 0a.04.1b.00):

ospf.msg.dbdesc == 1 and ospf contains 03.0a.04.1b.00

Another example, the display filter to find an External LSA (LSA Type 5) with the ID of 10.4.27.0 (hex 0a.04.1b.00):

ospf.msg.dbdesc == 1 and ospf contains 05.0a.04.1b.00

FYI, these are the numbers corresponding to the LSA types

How to Use Wireshark HTTP Filter

The use of the NOT (!=) operator in Wireshark comes with a caveat, as mentioned in the documentation

6.4.4. A common mistake

Warning! Using the != operator on combined expressions like: eth.addr, ip.addr, tcp.port, udp.port and alike will probably not work as expected!

Often people use a filter string to display something like ip.addr == 1.2.3.4 which will display all packets containing the IP address 1.2.3.4.

Then they use ip.addr != 1.2.3.4 to see all packets not containing the IP address 1.2.3.4 in it. Unfortunately, this does not do the expected.

Instead, that expression will even be true for packets where either source or destination IP address equals 1.2.3.4. The reason for this, is that the expression ip.addr != 1.2.3.4 must be read as "the packet contains a field named ip.addr with a value different from 1.2.3.4". As an IP datagram contains both a source and a destination address, the expression will evaluate to true whenever at least one of the two addresses differs from 1.2.3.4.

If you want to filter out all packets containing IP datagrams to or from IP address 1.2.3.4, then the correct filter is !(ip.addr == 1.2.3.4) as it reads "show me all the packets for which it is not true that a field named ip.addr exists with a value of 1.2.3.4", or in other words, "filter out all packets for which there are no occurrences of a field named ip.addr with the value 1.2.3.4".

It might be that for your specific filter at hand, the current capture are displaying the same results, but it might give you a different result with a different capture

"http.host" means any packet which have HTTP hosts "http.host != "" " means any packet which http.hosts isn't empty.

How will the second one react if you do not have http.host at all (ie: non-http traffic?) you might want to check that

Best Answer

Related Solutions

Wireshark Filter – OSPF Database Description Link State ID

How to Use Wireshark HTTP Filter

Related Topic