How to Configure Wireshark to Detect Unauthorized Wi-Fi Access
To monitor unauthorized Wi-Fi access using Wireshark, make sure that you know the IP and MAC addresses for all of your network-connected devices, and then run a trace using Wireshark. You can then analyze the trace logs, noting any IP or MAC addresses that are not authorized to connect to your network. You can filter information to see all entries from an unauthorized IP or MAC address, and also save your trace logs as text files for later reference.
1 Configure Wireshark
2 Download the Wireshark application
Download the Wireshark application (link in Resources), and then install the software on a computer connected to your Wi-Fi network. Install all components, including the optional WinPcap feature. When the WinPcap installation completes, check the “Automatically Start the WinPcap Driver at Boot Time” check box, and then click “Finish.”
3 Launch Wireshark
Launch Wireshark, and then click the router to monitor in the Start box. Note that you can select more than one router to monitor from this box.
4 Click the Capture Options link
Click the “Capture Options” link to open the Capture Options dialog box.
5 Click the Capture All in Promiscuous Mode option
Click the “Capture All in Promiscuous Mode” option in the Capture Options dialog box. Promiscuous mode records all traffic traveling across the network.
6 Check all three
Check all three of the Display options: “Update of List Packets in Real Time,” “Automatic Scrolling in Live Capture” and “Hide Capture Dialog Box.”
7 Click the Enable MAC Name Resolution and Enable Transport Name Resolution options in the Name Resolution section
Click the “Enable MAC Name Resolution" and “Enable Transport Name Resolution" options in the Name Resolution section. You can also click additional optional settings, such as “Enable Network Name Resolution.”
8 Click Start in the Capture Options dialog box
Click “Start” in the Capture Options dialog box. Wireshark immediately begins tracing and recording your network traffic. The real-time traffic logs are displayed in three panes in the Wireshark interface.
9 Analyze Logs
10 Scan the logs
Visually scan the logs until you find an unfamiliar IP or MAC address.
Filter the log using the unauthorized IP or MAC address to only view entries for the offending connection. To filter by IP address, type “ip.addr == xx.xx.xx.xx” (omit the quote marks) into the Filter bar, replacing “xx.xx.xx.xx” with the unauthorized IP address. The real-time results now only display entries containing the specified IP address.
12 Type mac contains xx-xx-xx-xx-xx-xx ”
Type “mac contains xx-xx-xx-xx-xx-xx” (omit the quote marks) in the Filter field, replacing the "x’s" with the MAC address of the unauthorized device. The trace log now limits the display to entries including the specified MAC address.
- Information provided in these steps applies to Wireshark for Windows, version 1.10.x and higher. Instructions may vary slightly or significantly for other versions of Wireshark.
- Click the "Stop" icon in the top toolbar to stop a real-time trace.
- Once you identify the unauthorized MAC or IP address, configure your router to block connections from the device.