Wireshark Not Displaying Packets From Other Network Devices, Even in Promisc Mode

wireshark

System Setup:

  1. MacBook Air running Mountain Lion and connected wirelessly to a router.
  2. Wireshark installed and capturing packets (I have "capture all in promiscuous mode" checked)
  3. I filter out all packets with my source and destination IP using the following filter (ip.dst != 192.168.1.104 && ip.src != 192.168.1.104)
  4. On the same network as the MacBook, I use an Android device (connecting via WiFi) to make HTTP requests.

Expected Results:

  1. Wireshark running on the MacBook sees the HTTP request from the Android device.

Actual Results:

  1. I only see SSDP broadcasts from 192.168.1.1

Question:
What do I need to do so that Wireshark, like Firesheep, can see and use the packets (particularly HTTP) from other network devices on the same network?

UPDATE

  1. How can I capture other computers traffic in Wireshark on a WiFi-network? seems to imply that it is not possible
  2. This seems to describe my problem: http://seclists.org/wireshark/2010/Jan/70
  3. I am confident the network interface is in promisc mode because when I run ifconfig I get en0: flags=8967<UP,BROADCAST,DEBUG,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

Best Answer

If you are not connected via ethernet to you home router, most likely that home router than the home router uses a switch for its LAN ports and not a hub, thus each port has its own collision domain, whereas in a hub the collision domain is shared among all the ports and you would see all traffic on every port.

If you are connected wirelessly, there may be a few issues. First, certain wireless cards' drivers do not support being put into promiscous mode. Nothing can be done about that unless you want to write your own. Second, if your network is encrypted and you are only seeing layer 2 traffic from various sources and not the higher layer protocols expected (which doesn't appear to be the case), then you must enter the WEP key into wireshark so it can handle the decryption. WPA and WPA2 decryption get more complicated, as older versions of wireshark do not support it, and if it is supported, then you must capture the entire handshake taking place between the router and the device (EAPOL packets), as unique keys are generated between the device and router.

Related Question