ESP To Wireshark

Everyone’s favorite packet sniffing tool, Wireshark, has been around for almost two decades now. It’s one of the most popular network analysis tools available, partially due to it being free and open source. Its popularity guaranteed that it would eventually be paired with the ESP32/8266, the rising star of the wireless hardware world, and [spacehuhn] has finally brought these two tools together to sniff WiFi packets.

The library that [spacehuhn] created uses the ESP chip to save Pcap files (the default Wireshark filetype) onto an SD card or send the data over a serial connection. The program runs once every 30 seconds, creating a new Pcap file each time. There are many example scripts for the various hardware you might be using, and since this is written for the ESP platform it’s also Arduino compatible. [spacehuhn] has written this as a proof-of-concept, so there are some rough edges still, but this looks very promising as a network analysis tool.

[spacehuhn] is no stranger to wireless networks, either. His YouTube channel is full of interesting videos of him exploring various exploits and testing other pieces of hardware. He’s also been featured here before for using an ESP8266 as a WiFi jammer.

13 thoughts on “ESP To Wireshark

  1. ESP – the magic chip from china that we have NO IDEA what is really going on inside.

    yeah, I’m going to use such a thing to sniff packets. yeah, good idea. it won’t phone anything home. nope.


    nice hacker chip, but its something to be kept on a leash, so to speak. very limited amount of trust in any silicon, these days; but especially china-sourced and designed chips.

    1. Pfft! And you call yourself a hacker. You’re suppose to strip it down to the silicon, take pictures, reverse-engineer it, and then write it up in the :-p

    2. If you’re worried that something may phone home, why don’t you do something such as running Wireshark or another packet sniffer of your choice say on a box configured as an edge router ( or possibly a mirrored port of a switch, depending on your network configuration)? You could also simply set up firewall rules to block it from connecting to the outside world.

    3. Paranoid much?

      You could make that argument for any wifi chipset, to cell phone, to laptop or desktop. It a the false dichotmy of “since I can’t prove it doesn’t then it must be true”

      Except in this case it is quite easy prove just by sniffing the data. Not to mention you can load your own firmware and this is one of the most studied chips in use. And if you were really into tin hats it just isn’t feasible that somewhere deep inside the silicon there is a special set of conditions to be capturing all of your data and covertly sending it out a year later. There just isn’t the memory to be doing this.

      Point is why bother making an uninformed comment like this to begin with?

      I’m not worried that espress is doing something as ludicrous as you’re implying as much as trying to figure out why it is more advantageous than just doing this all on my laptop as usual without it.

    4. Obvious troll is obvious. But sure, I’ll bite.

      If it wanted to phone home with the sniffed packets, it would already sniff packets on its own. OP using it to sniff packets doesn’t add anything to the risk, simply powering it on would be the dangerous step.

      Unless it phoned home memory snapshots or something? But if you designed a WiFi chip with the sole purpose to sell in bulk and spy with, would you design it to send potentially meaningless, hard to analyze RAM dumps or easy to analyze packet captures?

      Also, on what channel would it phone home? User’s WiFi network may be monitored, by now someone would have noticed it, plus it would make A HUGE congestion on the network if it would duplicate every packet. (Also a lot of people have two or more of them on the same network.) Hidden GSM modem? Too much power, no good antenna, huge data costs, someone would have noticed it by now, plus they probably would have let us use the GSM modem so that the chip would get even more popular.

    5. Erm, devils advocate here, but if the ESP32 can sniff packets when you tell it to, why wouldn’t it sniff packets when you’re using it normally? I get the ‘I don’t trust me no Chinese stuff’ angle, but it’s a weird thing that you overestimate who-you-think-is-the-enemy by thinking they have extremely sneaky ways to exfiltrate the secret data but underestimate them by thinking it only goes sniffing for that data when you tell it to.

      Also, please stop tempting me… it would be soooo easy to sneak a ‘sniff_secrets_and_send_to_motherland_china’ stub function into the WiFi libraries and see the Internet shit itself… must… stay…. good.

  2. Donning flame suit. Hey guys, someone made a mistake and none of you flatly said it’s impossible. Is it really necessary to flame him for the comment? A little cool would go a long way here. This is a great site with great people. Just saying…

  3. Just playing devil’s advocate, a general “kill-switch” is easily implemented in silicon and nearly impossible to detect. Imagine a world full of ESP32 IOT stuff and some “rogue nation” wants to wreak havoc by disabling our “smart stuff”… POC! :-)
    Or a commercial company that wants to sell new stuff by “randomly disabling” their old stuff!? Possible?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.