How to Configure Wireshark to Detect Unauthorized Wi-Fi Access

To monitor unauthorized Wi-Fi access using Wireshark, make sure that you know the IP and MAC addresses for all of your network-connected devices, and then run a trace using Wireshark. You can then analyze the trace logs, noting any IP or MAC addresses that are not authorized to connect to your network. You can filter information to see all entries from an unauthorized IP or MAC address, and also save your trace logs as text files for later reference.

Download the Wireshark application (link in Resources), and then install the software on a computer connected to your Wi-Fi network. Install all components, including the optional WinPcap feature. When the WinPcap installation completes, check the “Automatically Start the WinPcap Driver at Boot Time” check box, and then click “Finish.”

Launch Wireshark, and then click the router to monitor in the Start box. Note that you can select more than one router to monitor from this box.

Click the “Capture Options” link to open the Capture Options dialog box.

Click the “Capture All in Promiscuous Mode” option in the Capture Options dialog box. Promiscuous mode records all traffic traveling across the network.

Check all three of the Display options: “Update of List Packets in Real Time,” “Automatic Scrolling in Live Capture” and “Hide Capture Dialog Box.”

Click the “Enable MAC Name Resolution" and “Enable Transport Name Resolution" options in the Name Resolution section. You can also click additional optional settings, such as “Enable Network Name Resolution.”

Click “Start” in the Capture Options dialog box. Wireshark immediately begins tracing and recording your network traffic. The real-time traffic logs are displayed in three panes in the Wireshark interface.

Visually scan the logs until you find an unfamiliar IP or MAC address.

Filter the log using the unauthorized IP or MAC address to only view entries for the offending connection. To filter by IP address, type “ip.addr == xx.xx.xx.xx” (omit the quote marks) into the Filter bar, replacing “xx.xx.xx.xx” with the unauthorized IP address. The real-time results now only display entries containing the specified IP address.

Type “mac contains xx-xx-xx-xx-xx-xx” (omit the quote marks) in the Filter field, replacing the "x’s" with the MAC address of the unauthorized device. The trace log now limits the display to entries including the specified MAC address.