This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all, I'm a novice in Wireshark. I apologize if this question is silly. The problem is that when I turn on the wifi monitor mode and choose an appropriate channel, Wireshark can catch 802.11 management packets such as beacon, probe_request, but it can't catch any user data packets such as the tcp packets. After I turn the wifi back to managed mode and connect to an AP, I can catch user data packets again. Is this the way I should expect Wireshark to behave? Thank you.

asked 03 Oct '12, 11:30

caesarxuchao's gravatar image

caesarxuchao
6113
accept rate: 0%

Hi

is there any news about this topic because i have the same problem

thanks

(31 Oct '12, 11:56) Noury

is there any news about this topic because i have the same problem

Are you on a WEP, WPA, or WPA2 network? If so, see my answer.

(31 Oct '12, 11:58) Guy Harris ♦♦

On what operating system are you running Wireshark, and what type of 802.11 adapter do you have?

And are you seeing no data frames at all, or are the data frames just showing up as "Data" or "QoS Data" or..., without being dissected as, for example, TCP? If they're just showing up as "Data" and the like, the problem is that the networks you're listening to are "protected", i.e. using WEP or WPA, and you'd have to follow these instructions for decrypting packets on protected 802.11 networks.

permanent link

answered 03 Oct '12, 19:10

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thank you Guy Harris! This solves the problem. I shouldn't expect Wireshark to decipher the wpa2 key automatically :)

P.S. For people who are going to do the same thing, be sure to notice this sentence in the webpage Guy Harris pointed: "WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture."

(03 Oct '12, 20:13) caesarxuchao

unfortunately this can occur on some OS's and with some wireless cards. See the WLAN Capture page on the Wiki for more info.

permanent link

answered 03 Oct '12, 11:40

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks. But the page only says some wireless cards cannot turn on monitor mode and thus not capable of capturing non-data packets. My specific problem is on the contrary, that I can capture non-data packet but not data packets.

(03 Oct '12, 11:58) caesarxuchao

Hello, Can you check the box "Capture packets in monitor mode" in Capture Options or do you have an error message ?

permanent link

answered 19 Nov '12, 08:28

chuinul's gravatar image

chuinul
1
accept rate: 0%

I've found that you can miss data packets due to feature mismatch between the capture hardware and the sending hardware and associated AP.

The problem I ran into was trying capture 802.11n HT mode packets on a non-HT capable device - so it was seeing the management traffic but when data packets were sent in HT mode they weren't being seen. My solution was disable HT mode on the AP. Alternatively one could obtain a more advanced WiFi card/dongle for the capture machine.

permanent link

answered 11 Jun '15, 08:16

pierz's gravatar image

pierz
6112
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×205
×134
×86
×30
×10

question asked: 03 Oct '12, 11:30

question was seen: 26,590 times

last updated: 11 Jun '15, 08:16

p​o​w​e​r​e​d by O​S​Q​A