For fun and edification I’m trying to use Wireshark to look at LIFX activity on my local network. When I run the iPhone app I can see it sending state requests and I can see the bulbs responding. But when I change something from the iPhone app (color, brightness, etc.) I don’t see any command coming from the app. I still just see state requests.
I’m guessing this is because the app is using state requests to keep its bulb status display current but is sending commands through the HTTP interface.
If that’s the case, is there a way to get Wireshark to show me commands coming from the HTTP interface?
Wireshark can only show packets that pass through the machine that is capturing the traffic. We do our best in our applications to avoid causing broadcast packets as these are unreliable on consumer Wifi networks. So most of the traffic from the application will not go via your Wireshark machine, and will only be seen by the bulb and the phone.
The applications do not use the HTTP api to control the bulbs.
Thanks for the clarification.
So you would need an AP that can tunnel traffic to a monitor IP, like Ruckus AP’s can, or maybe set a switch port into monitor mode and see if the traffic comes through there.
Simply setting the PC’s wifi into proximity mode will not be enough, as the traffic is not coming to that interface.
In the LIFX office we have some routers with OpenWRT on them, because the router can see all the traffic on the wireless LAN you can capture from there and see all the traffic. This is a nice cheap way to get a Wifi packet capture device.
You can even watch the traffic in Wireshark live using this command:
wireshark -k -i <(ssh -l root remote-host "dumpcap -P -w - -f 'not tcp port 22'")
You can read more details on the Wireshark remote capture wiki page.
I’ll keep that in mind if I see a cheap OpenWRT-compatible router for sale.
For the next 7 hours there is a nice Xiaomi router for sale at Alibaba for just US$26.
Instructions for installing OpenWRT on it are available on its OpenWRT wiki page.