Wireshark is a powerful and widely-used network protocol analyzer that lets you see what’s happening inside a network cable. By capturing and analyzing packets flowing through a network, Wireshark can help identify neighboring devices connected to the network.
Table of Contents
An Introduction to Wireshark
Wireshark is an open-source packet analyzer that runs on Windows, Linux, macOS, and other platforms. It lets you examine data from a live network or from a capture file in great detail.
Some key features of Wireshark:
- Captures live packet data from a network interface or from a file
- Displays summary information about captured packets
- Allows filtering packets based on various criteria
- Decodes the packet contents into human-readable form
- Analyzes traffic patterns and statistics
Understanding MAC Addresses
A Media Access Control (MAC) address is a unique identifier assigned to the network interface controller (NIC) of a device. It is a 12-digit hexadecimal number, usually separated by colons or hyphens.
MAC addresses are used in layer 2 of the OSI model for communication between network devices. When a device sends data over the network, its MAC address is included in each data packet.
Detecting Neighboring Devices with Wireshark
Wireshark can capture packets going through your network, including packets from devices that may not belong to you. By analyzing the source MAC addresses in these packets, you can detect neighboring devices connected to the same network.
Here are the key steps:
- Install Wireshark on the computer you want to use to monitor traffic. Wireshark works on Windows, Linux, and macOS.
- Start capturing packets on the network interface you want to monitor. For a Wi-Fi network, put your network interface into monitor mode first.
- Apply display filters in Wireshark to only show traffic from MAC addresses you don’t recognize. For example, to hide your own devices:
!(eth.src == xx:xx:xx:xx:xx:xx || eth.src == yy:yy:yy:yy:yy:yy)
- Examine source MAC addresses. Each source MAC address represents a device on your network or a neighboring device within Wi-Fi range.
- Identify device manufacturers. The first 3 bytes of a MAC address represent the Organizationally Unique Identifier (OUI) assigned to each manufacturer. You can look up the OUI online to determine device manufacturers.
Useful Wireshark Filters
Here are some useful display and capture filters you can apply in Wireshark for detecting devices:
Display only packets from a MAC address:
eth.addr == xx:xx:xx:xx:xx:xx
Capture only packets from a MAC address:
ether host xx:xx:xx:xx:xx:xx
Show new devices seen in the last X minutes:
eth.addr != xx:xx:xx:xx:xx:xx && eth.addr != yy:yy:yy:yy:yy:yy && frame.time >= X minutes
Display OUI portion of MAC addresses:
Using the Wireshark OUI Lookup Tool
Wireshark has a built-in OUI lookup tool that can identify device manufacturers from MAC addresses.
To use it:
- Go to https://www.wireshark.org/tools/oui-lookup.html
- Enter the OUI portion (first 6 digits) of the MAC address
- Click Lookup
The tool will display the device manufacturer if the OUI is known.
Using Wireshark’s advanced filtering and analysis capabilities, you can easily detect neighboring devices connected to your network. This information can be useful for security, troubleshooting, and analytics.
The key is to capture packets, analyze source MAC addresses, and leverage OUI lookup tools to gather intelligence about devices on your network. With some practice, you’ll be able to quickly recognize your own devices vs. unknown neighboring devices.