On an unencrypted public wi-fi hotspot, what exactly is a packet sniffer doing to get another computer's packet?
I get mixed results when reading information security articles, some of them stating that in order to do something similar you need to also setup some sort of honeypot with a running access point and local Web server to intercept traffic. Then other articles seem to indicate you don't need that, and you can just run Wireshark, and it will detect all packets being sent on the network. How could that be, and what exactly is a packet sniffer doing to get those packets? Does this involve intercepting wireless signals transmitted over the wireless protocol and frequency via the NIC on the computer running a program like Wireshark?
Solution 1:
If configured correctly a sniffer will receive all packets it can decode and display them on the screen. This vulnerability is inherant in any WiFi signal that is suseptibale to any form of easedropping (e.g. being able to capture communications that are unencrypted, weakly encrypted, etc). This is most likely why many sites have added forced HTTPS which requires a rogue user to then decrypt the message within each packet.
As far as the honeypot you mention, it might be discussing a potential (and elaborate) man-in-the-middle attack whereby a user believes they are served the correct SSL certs and their session is 'secure' but the machine inbetween is capable of reading all transmissions in plaintext.
Solution 2:
Wireless signals will be received and read by the lower level network software in all WiFi equipped computers in the vicinity. If the target computer is not the current computer the packets are discarded - unless the interface has been put into promiscuous mode. A packet-sniffer such as Wireshark can then capture and display the packet's data.
This is similar to other broadcast networking media such as the old 10BASE5 or 10BASE2 co-axial Ethernet cable and networks using older 10BASE-T (or even 100BASE-TX) hubs (rather than switches - which segregate traffic by learning MAC addresses per port).
As I understand it, If WEP, WPA etc are in use by the WiFi hub (local access point), the data is encrypted and therefore other computers can't decode the packet data as they don't have the session keys negotiated between each other computer and the Wifi hub. Update: I think I am wrong on this last point, as Christian Mann suggested, WEP, WPA and WPA2 don't use session keys and so don't protect your data from other people legitimately using the same WiFi hub. The shared key that is used to authenticate the "connection" to the WiFi hub is (I think) also used to encrypt traffic. Usually, everyone uses the same key and so can, in principle, decrypt everyone else's traffic.
WEP encryption is relatively easily broken in a very short time and so offers no protection against unauthorised receivers of the WiFi signal.
It appears not all WiFi hardware (or more properly, their associated drivers) support "promiscuous mode" (see www.tamos.com) - but I believe many do.
Some WiFi hardware also supports the WiFi Monitor Mode that can be used to capture other people's traffic, even from a computer that is not "connected" to the WiFi hub.
(Terminology: my "WiFi hub" = Wireless Access Point (WAP) - often built into a DSL router)