How to Configure Wireshark to Detect Unauthorized Wi-Fi Access

Monitor your network traffic with Wireshark.
... Thomas Northcut/Photodisc/Getty Images

To monitor unauthorized Wi-Fi access using Wireshark, make sure that you know the IP and MAC addresses for all of your network-connected devices, and then run a trace using Wireshark. You can then analyze the trace logs, noting any IP or MAC addresses that are not authorized to connect to your network. You can filter information to see all entries from an unauthorized IP or MAC address, and also save your trace logs as text files for later reference.

1 Configure Wireshark

2 Download the Wireshark application

Download the Wireshark application (link in Resources), and then install the software on a computer connected to your Wi-Fi network. Install all components, including the optional WinPcap feature. When the WinPcap installation completes, check the “Automatically Start the WinPcap Driver at Boot Time” check box, and then click “Finish.”

3 Launch Wireshark

Launch Wireshark, and then click the router to monitor in the Start box. Note that you can select more than one router to monitor from this box.

4 Click the Capture Options link

Click the “Capture Options” link to open the Capture Options dialog box.

5 Click the Capture All in Promiscuous Mode option

Click the “Capture All in Promiscuous Mode” option in the Capture Options dialog box. Promiscuous mode records all traffic traveling across the network.

6 Check all three

Check all three of the Display options: “Update of List Packets in Real Time,” “Automatic Scrolling in Live Capture” and “Hide Capture Dialog Box.”

7 Click the Enable MAC Name Resolution and Enable Transport Name Resolution options in the Name Resolution section

Click the “Enable MAC Name Resolution" and “Enable Transport Name Resolution" options in the Name Resolution section. You can also click additional optional settings, such as “Enable Network Name Resolution.”

8 Click Start in the Capture Options dialog box

Click “Start” in the Capture Options dialog box. Wireshark immediately begins tracing and recording your network traffic. The real-time traffic logs are displayed in three panes in the Wireshark interface.

9 Analyze Logs

10 Scan the logs

Visually scan the logs until you find an unfamiliar IP or MAC address.

11 Filter

Filter the log using the unauthorized IP or MAC address to only view entries for the offending connection. To filter by IP address, type “ip.addr == xx.xx.xx.xx” (omit the quote marks) into the Filter bar, replacing “xx.xx.xx.xx” with the unauthorized IP address. The real-time results now only display entries containing the specified IP address.

12 Type mac contains xx-xx-xx-xx-xx-xx ”

Type “mac contains xx-xx-xx-xx-xx-xx” (omit the quote marks) in the Filter field, replacing the "x’s" with the MAC address of the unauthorized device. The trace log now limits the display to entries including the specified MAC address.

  • Information provided in these steps applies to Wireshark for Windows, version 1.10.x and higher. Instructions may vary slightly or significantly for other versions of Wireshark.
  • Click the "Stop" icon in the top toolbar to stop a real-time trace.
  • Once you identify the unauthorized MAC or IP address, configure your router to block connections from the device.

Based in the live music capital of the world, Tammy Columbo continues to work in the information technology industry as she has done for more than 10 years. While living in Austin, Columbo has contributed to high profile projects for the State of Texas, Fortune 500 technology companies and various non-profit organizations. Columbo began writing professionally in 2009.