This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture WLAN-traffic using Wireshark

0

I'm trying to understand how to capture traffic on my WLAN(WPA2) using Wireshark. I can see the traffic going to and from my Backtrack-PC and Wireshark is able to decrypt it (using the WPA-password and the four EAPOL Key msg), but I can't see any traffic going from other clients on the network. If I deauth a client from my BT-PC I only get two EAPOL Key msg, 1/4 and 3/4, it's missing key 2/4 and 4/4. Why is that?

I've tried different approaches listening on both wlan0 and mon0 but no luck. It seems to me that Wireshark can only capture the WPA-handshake going from the client to the AP and not vice versa. I can't get any data-traffic (like http) from my clients.

Am I doing something wrong here or is it just impossible to capture traffic on WLAN encrypted with WPA2?

This is my config, BackTrack 5 R1 running on a PC with a Alfa AWUS036H (The computer running Wireshark). AP is a ASUS RT-N56U. Clients: one Laptop running BackTrack 5 R1 and one Android-Phone.

BT-tools used, Wireshark (sniffer) airmon-ng (to swith wlan0 into monitor mode) aireplay-ng (to deauth)

asked 18 Aug '12, 03:10

Ziggemannen's gravatar image

Ziggemannen
6113
accept rate: 0%


2 Answers:

2

To verify that your capture setup is working please try the following setup:

  • Make sure you're not using 802.11n since the AWUS036H isn't .n capable
  • Setup mon0 using airmon-ng
  • use airodump-ng on mon0 with '-c' for channel and with '--bssid' for the APs MAC address and write the output into a capture file with '-w'.

Compare that trace with your prior tests, if there's more frames in it, you might have an issue with wireshark fiddling with the monitor mode. In any case try not to enable the "promiscuous mode" setting in wireshark when capturing from your mon0 interface and see if that helps.

The AWUS036H is perfectly capable of sniffing WPA2/AES traffic, that should not be an issue. Try to limit your AP to 802.11g for testing purposes.

answered 20 Aug '12, 05:00

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

edited 20 Aug '12, 05:01

Thank you! It was as simple as setting the AP to 802.11g. Now I can see my other clients traffic and after a successfull handshake capture, Wireshark can decrypt the packets.

(21 Aug '12, 10:17) Ziggemannen

0

WLAN is not my specialty, but keep in mind that the WiFi adapter basically works in half duplex mode, so if you're using it as a communication device (and not just as a passive capture card) your outgoing traffic will prevent reading other (incoming) packets at the same time - because the card can either receive or send data (not both). Have you tried removing all IP addresses from your WiFi NIC to see if it works as a capture-only card?

answered 18 Aug '12, 03:20

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 18 Aug '12, 03:21

With BackTrack and the Alfa AWUS036H you can set the card into monitor-mode, that way it should listen to all traffic going through the air.

(18 Aug '12, 03:33) Ziggemannen

I've just upgraded Wireshark to version 1.8.1 and now I occasionally get all four EAPOL packets when a client connects to the AP, but I still can't see any data traffic coming from the client in Wireshark. If I fire up a webbrowser and starts surfing on the client all Wireshark get is "Request-to-send" and "802.11 Block Ack".

(18 Aug '12, 13:23) Ziggemannen