This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireless capture

0

OK, I don't know if I'm doing this wrong or if what I'm trying to do is even supported. What I'm trying to do is monitor packets on my WEP network. I am connected via wireless and I can pass traffic with no issues via wlan0. I start Wireshark in promiscuous mode on wlan0 and all I can see is broadcast, multicast and my (to/from) traffic. It's just like I'm on a switched network. I added the WEP key to the protocols options sections under IEEE 802.11, still just the same. I have tested my wireless card with airmon-ng and it works fine (injection, capture and monitor mode). The card has the z1211b chipset using the using the z1211RW driver and firmware on Backtrack 5 r2.
So, my question is: Should I be able to see all traffic on the wireless network doing this? Do I need to put the card in monitor mode and capture on mon0, instead to make this work? Am I possibly having an issue with my wireless card that is causing the issue?

asked 27 Apr '12, 23:13

deets52's gravatar image

deets52
0111
accept rate: 0%


One Answer:

1

Correct, you have to put your card into monitor mode and capture on mon0 to see all packets instead of just broadcast+own traffic. Being connected to your own wireless network might also give you issues when capturing, so better make sure that you are just using plain monitor mode.

Stick to http://wiki.wireshark.org/CaptureSetup/WLAN for more details if needed.

answered 28 Apr '12, 05:11

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

First of all, thank you very much for your answer. I am confused by it, however. I did read the wiki that you linked to (several times) and that is one of the reasons I asked the question. The part I don't understand is:

Promiscuous mode
In promiscuous mode the MAC address filter mentioned above is disabled and all packets of the currently joined 802.11 network (with a specific SSID and channel) are captured, just as in traditional Ethernet.

This seems to work on Linux and various BSDs, including Mac OS X. On Windows, putting 802.11 adapters into promiscuous mode is usually crippled, see the Windows section below.

Promiscuous mode can be enabled in the Wireshark Capture Options.

Are you saying I can't do it or that I can do it, but you don't recommend it?
I thought monitor mode pick up all traffic of the given channel regardless of network or SSID. I will do more testing with monitor mode captures but the limited test I did yesterday yielded very similar results.

(28 Apr '12, 10:09) deets52

You can try to use wireshark's builtin option to enable promiscuous mode but for wireless capturing I never really got this to work except with dedicated WiFi capture cards. I'm not saying it never works, just IF there are problems (like in your case) pre-enable monitor mode (not exactly the same as promiscuous mode) with airmon-ng and specify the right channel.

After that you can start wireshark without setting promisc. mode (trying to set it might corrupt with mon. mode from airmon-ng with certain drivers)

(29 Apr '12, 13:04) Landi

Not really the answer I wanted, but that works for me. I was thinking that there was a problem with the card (drivers, firmware, etc) since it is a z1211b card using the z1211RW drivers. I guess I will just need to work on the filters. The main reason I did not want to have to do that is because there are several "noisy" neighbors (wifi speaking) and to let the packet capture run too long creates too much overhead. Even though I can filter out what I don't want to see, it is still in the main capture file that grows way too large too quick.
Thank you for taking the time to look at this and answer - I do appreciate your time. Keep up the good work and have a beer on me (or because of me) - I'll be having one as well.
CHEERS!

(29 Apr '12, 14:01) deets52