This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Every Packet has 802.11 Protocol

0

I'm using Wireshark on Backtrack and have a Broadcom 4322 Wifi Card running in monitor mode (airmon-ng). When I'm capturing the data of an open network, all packets seem to have the same protocol: 802.11. Also, I can't read any data in this packets. I guess that these packets actually belong to another protocol (http, tcp,...), has anybody an idea how i can get to that data?

asked 31 Oct '12, 08:27

__TOXIC's gravatar image

__TOXIC
1112
accept rate: 0%


2 Answers:

3

Well, if you're capturing in monitor mode on an 802.11 interface, obviously all packets will have 802.11 as a protocol. :-)

What's happening is presumably that they don't have any higher-level protocols.

Is this truly an "open" network in the sense that you don't have to supply a password to connect to it? If you have to supply a password, it's not "open" in that sense, and the packets are probably encrypted, in which case you need to supply the password to Wireshark so that it can decrypt it and, if it's a WPA or WPA2 network, rather than a WEP network, you also have to catch the initial setup packets when you connect (as that page notes).

answered 31 Oct '12, 09:51

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 31 Oct '12, 09:52

That's what I meant, I only see 802.11 and a few ARP protocol packets.

Yes it's really open, i also tryed it with an encrypted wifi and supplying the passphrase - gave me the same result.

(31 Oct '12, 11:29) __TOXIC

I only see 802.11 and a few ARP protocol packets.

OK, that's very different from "every packet has 802.11 protocol"; apparently, those ARP packets, at least, aren't encrypted.

Are the other packet 802.11 data packets or are they management or control packets?

(31 Oct '12, 11:45) Guy Harris ♦♦

OK, I'm sorry, I'm just getting startet with networks.

They are all management/control packets, so apperently the others are missing?

(31 Oct '12, 12:14) __TOXIC

Possibly. Is there anybody else on the network fetching stuff from the Web or playing audio/video over the Web while you're capturing? Try capturing when you know somebody's fetching something big, and see whether that traffic shows up or not.

(31 Oct '12, 12:29) Guy Harris ♦♦

I just tried to capture while a youtube video was streaming on another pc - but wireshark didn't show anything except 802.11 and ARP.

(31 Oct '12, 13:28) __TOXIC

Are all the packets you're seeing sent to a broadcast (or multicast?) MAC address? I.e., is the DA field ff:ff:ff:ff:ff:ff (or possibly another "group" address)?

(31 Oct '12, 14:23) Guy Harris ♦♦

No, only a few of them are broadcasts - most are unicasts.

(01 Nov '12, 04:25) __TOXIC
showing 5 of 7 show 2 more comments

0

You are probably in monitor mode. When set to monitor mode, all I see are 802.11 protocol packets.

See https://ask.wireshark.org/questions/22980/wireshark-only-shows-one-protocol-in-capture for an in-depth discussion.

answered 30 Apr '17, 20:49

paolodm's gravatar image

paolodm
61
accept rate: 0%

When set to monitor mode, all I see are 802.11 protocol packets.

As per my answers to this question and to the other question you pointed to, they're probably encrypted packets.

(30 Apr '17, 20:58) Guy Harris ♦♦