0

I have a switch with port mirroring enabled. So one port is the source port, and the other is the mirror port.

In the source port, I have a wifi router plugged in.

The mirror port is connected to my Mac using an Ethernet/Thunderbolt adapter.

I'd like to be able to connect a device to the wifi router and see all traffic going through it by monitoring on the Mac using Wireshark or Charles.

My Mac says the port is connected, but assigned a self-assigned IP.

I've tried both Wireshark and Charles, but am not able to see the traffic.

Any thoughts whether this is possible? And if so, what the issue may be?

Steve
  • 225
  • 3
  • 9
  • Which traffic are you trying to see? Traffic between your Mac and the Internet? Other machines' traffic on your Wi-Fi network? –  Aug 13 '14 at 21:29
  • Other devices traffic on the Wi-Fi network. – Steve Aug 14 '14 at 00:48

1 Answers1

1

Other devices traffic on the Wi-Fi network.

In that case, Charles should not be expected to capture any traffic; it inserts itself as a proxy to capture Web browser traffic to and from the machine on which it's running (and that works by inserting itself as a Web proxy, so it won't catch, for example, HTTP traffic done by doing telnet {webserver} 80 and typing HTTP traffic at it).

Your alternatives here are:

  1. Capture using monitor mode on Wi-Fi. This should capture all the traffic sent over your Wi-Fi network, but, if it's protected (WEP or WPA/WPA2) you will need to tell Wireshark the network password and, if it's using WPA/WPA2, disconnect the client machines from the network somehow (putting them to sleep should do it) and, once you've started the capture, make them reconnect (waking them up should do it). See the "How to decrypt 802.11" page on the Wireshark Wiki.

  2. Make sure the traffic to the Internet from the Wi-Fi router goes through the switch (i.e., make sure your Wi-Fi router isn't also your cable modem/DSL modem/whatever, and plug your cable modem/DSL modem/whatever and your Wi-Fi router into the switch, so all Wi-Fi traffic to and from the Internet goes through the switch), set up a mirror port, and plug the Mac's Thunderbolt Ethernet adapter in to the mirror port. (Don't worry about its IP address - the mirror port isn't supposed to act like a regular network port, so DHCP traffic from your Mac on that port probably won't make it to whatever DHCP server you have, and it won't get an IP address other than a self-assigned one.)

  • #2 did actually work using Wireshark. I was previously monitoring the wrong interface. – Steve Aug 14 '14 at 12:45
  • (BTW, [hubs rather than switches are often used in that fashion](http://wiki.wireshark.org/CaptureSetup/Ethernet#Capture_using_an_Ethernet_hub), although true hubs may be hard to find now that switches are cheap. –  Aug 14 '14 at 18:53