I installed the Wireshark on my MAC and tried to sniff the air for WLAN packets (802.11) I see packets that looks like a higher level than what I expected For ex. I do not see Beacons or do not see Association packets when I closed and opened my WiFi. On the other hand, I do see DNS packets and NBNC packets. Is there anything I need to configure to have this ability? asked 29 Jan '13, 03:14  NimrodB edited 29 Jan '13, 17:00  Guy Harris ♦♦ |
3 Answers:
Have you looked at the Wiki pages on WiFi and WLAN Capturing, particularly the section for Mac OS X? answered 29 Jan '13, 03:34  grahamb ♦ edited 29 Jan '13, 03:36 I did but could not find the answer. But I must say - most of what was written there - I did not understand (29 Jan '13, 05:37) NimrodB |
I think I found the way! :) When double clicking on the interface to use (in my case - e?1) - I chose Display in Monitor Mode (or something like that) Then I choose to use 802.11 on the item that used to be gray. and that's it - I now see WLAN packets! (Wireshark removes most of the packet which is a shame but... that is still something) :) answered 29 Jan '13, 09:41 NimrodB Yes, on OS X you have to be in monitor mode in order to see non-data 802.11 packets; when not in monitor mode, only data packets are captured, and they have fake Ethernet headers. Wireshark probably isn't removing most of the packet; in monitor mode, it captures packets other than packets to and from your machine, and doesn't supply decrypted packets. If you're on a WEP or WPA/WPA2 network, you'll need to supply the network key and capture the initial setup packets; see How To Decrypt 802.11. (29 Jan '13, 16:57) Guy Harris ♦♦ I looked at beacons from my AP and most of the data is not there. (Beacons are not encrypted) That is why I think it removes/do not display all the data. If it's something in the Wireshark preferences - please let me know how to fix it. thanks. (29 Jan '13, 23:36) NimrodB Try capturing with tcpdump (to capture in monitor mode, use the -I (capital I) flag in OS X 10.6 and later, and do "tcpdump -L" and then choose one of the 802.11 flavors from that list and use it with the -y flag in 10.5), using "-i en1" (if the interface is en1) for all instances (including "tcpdump -L"), and, for the capture instance, using "-s 0" and "-w {pathname to file}". Then try opening the file tcpdump wrote to with Wireshark. If you see the same results, as I suspect you will, it is NOT a problem with Wireshark, it's probably a problem with your Wi-Fi adapter or the driver. (30 Jan '13, 00:10) Guy Harris ♦♦ |
I think I understand what I see - for ex. - the Beacon: The Wireshark does read all the data - but it does not understand some of it. All the InfoElements sections he sees as DATA. Is there a way for him (Wireshark) to learn/know from the AP type/name the order of the data and the IEs? For ex. Cisco AP - the IE order is xyz; and TP AP the order is yzx...? answered 30 Jan '13, 06:41 NimrodB |
I managed to find how to display all WLAN data only (Analyze -> Enable Protocols -> 802.11) Now I see only data with Protocol value of "Unknown" and in the Info value I have "WTAP_ENCAP". I can only assume this is my WiFi data but the Wireshark does not know how to decipher it (?)
You probably DISabled 802.11, which prevented Wireshark from dissecting 802.11 packets.