I'm using Wireshark on Backtrack and have a Broadcom 4322 Wifi Card running in monitor mode (airmon-ng). When I'm capturing the data of an open network, all packets seem to have the same protocol: 802.11. Also, I can't read any data in this packets. I guess that these packets actually belong to another protocol (http, tcp,...), has anybody an idea how i can get to that data? asked 31 Oct '12, 08:27  __TOXIC |
2 Answers:
Well, if you're capturing in monitor mode on an 802.11 interface, obviously all packets will have 802.11 as a protocol. :-) What's happening is presumably that they don't have any higher-level protocols. Is this truly an "open" network in the sense that you don't have to supply a password to connect to it? If you have to supply a password, it's not "open" in that sense, and the packets are probably encrypted, in which case you need to supply the password to Wireshark so that it can decrypt it and, if it's a WPA or WPA2 network, rather than a WEP network, you also have to catch the initial setup packets when you connect (as that page notes). answered 31 Oct '12, 09:51  Guy Harris ♦♦ edited 31 Oct '12, 09:52 showing 5 of 7 show 2 more comments |
You are probably in monitor mode. When set to monitor mode, all I see are 802.11 protocol packets. See https://ask.wireshark.org/questions/22980/wireshark-only-shows-one-protocol-in-capture for an in-depth discussion. answered 30 Apr '17, 20:49  paolodm
As per my answers to this question and to the other question you pointed to, they're probably encrypted packets. (30 Apr '17, 20:58) Guy Harris ♦♦ |
That's what I meant, I only see 802.11 and a few ARP protocol packets.
Yes it's really open, i also tryed it with an encrypted wifi and supplying the passphrase - gave me the same result.
OK, that's very different from "every packet has 802.11 protocol"; apparently, those ARP packets, at least, aren't encrypted.
Are the other packet 802.11 data packets or are they management or control packets?
OK, I'm sorry, I'm just getting startet with networks.
They are all management/control packets, so apperently the others are missing?
Possibly. Is there anybody else on the network fetching stuff from the Web or playing audio/video over the Web while you're capturing? Try capturing when you know somebody's fetching something big, and see whether that traffic shows up or not.
I just tried to capture while a youtube video was streaming on another pc - but wireshark didn't show anything except 802.11 and ARP.
Are all the packets you're seeing sent to a broadcast (or multicast?) MAC address? I.e., is the DA field ff:ff:ff:ff:ff:ff (or possibly another "group" address)?
No, only a few of them are broadcasts - most are unicasts.