Jump to content
  • entries
  • comments
  • views

Home WiFi sniffing



Over the years my home internet access (though my cableco) has steadily improved. However, it's always had a usage cap. Not a hard cap where it stops working, or even a soft cap where the bandwidth gets downgraded. Nope, instead I get a usage charge if I exceed it - which I've done occasionally. The "fix" is to increase my service. However, I've also configured my Netgear router to kick out a warning page when I've exceeded 100GB to give me some warning (the cableco will as well, but theirs only kicks in after I've exceeded it and has a 24-48 hour lag).

This month that warning popped up although I hadn't done anything particularly bandwidth intensive (like pulling down the MAME torrent...)

Checking the cableco's website I could see there were several days where I had used over 10GB. Hmm... what could be downloading that much data?

In a perfect world, my router would have a nice little report breaking down usage by device and destination. There's no technical reason it couldn't as part of the NAT functionality. (Although it might require some external storage.) Heck, the router is even a DNS proxy so the report could even map the IP address of the destination to a FQDN.

But this isn't a perfect world - far from it. Other than tracking overall usage the router doesn't track anything other than the list of currently connected devices. Nor does this function appear to be part of other routers, even the open source ones. Bleargh - so how to do this?

Hmm - could I sniff the WiFi network and get the info that way? The short answer is yes. Long answer:

1. My first attempt was to use Wireshark on Windows. But that only captured the traffic for that computer. What I needed was to put the adapter in "monitor mode".
2. My second attempt was to use Acrylic WiFi Professional. This worked, I could at least see the number of packets being sent by each device. But I couldn't get a count of the number (and size) of packets received by each device. It also seemed to crash while running unattended for several hours.
3. I then tried to use the drivers from Acrylic with Wireshark (which is supposed to be possible according to Acrylic). But I couldn't get it working or find out how to configure the driver to only listen on the correct channel.
4. So I downloaded a LiveCD/USB image of Kali Linux and tried to use aircrack-ng without success. I'm not sure whether the Linux drivers don't support monitor mode or if there was another issue.
5. Finally I loaded up Wireshark on my wife's old MacBook. Ding, ding, ding, we have a winner! Monitor mode without complaint. TShark to capture straight to disk. About the only quirk was it uses the channel of the connected SSID, but I needed to disable my 5GHz network anyway.

So with this I can easily track usage per device. In theory I should also be able to decrypt the packets (as I know the WPA2 passphrase) too, assuming I sniffed the WPA handshake.

Of course, it looks like Internet usage is back to normal.


Recommended Comments

There are no comments to display.

Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...