This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I capture non-data packets (Beacon, Associate, etc.) on OS X?

0

I installed the Wireshark on my MAC and tried to sniff the air for WLAN packets (802.11) I see packets that looks like a higher level than what I expected For ex. I do not see Beacons or do not see Association packets when I closed and opened my WiFi. On the other hand, I do see DNS packets and NBNC packets.

Is there anything I need to configure to have this ability?

asked 29 Jan '13, 03:14

NimrodB's gravatar image

NimrodB
1112
accept rate: 0%

edited 29 Jan '13, 17:00

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

I managed to find how to display all WLAN data only (Analyze -> Enable Protocols -> 802.11) Now I see only data with Protocol value of "Unknown" and in the Info value I have "WTAP_ENCAP". I can only assume this is my WiFi data but the Wireshark does not know how to decipher it (?)

(29 Jan '13, 03:33) NimrodB

I managed to find how to display all WLAN data only (Analyze -> Enable Protocols -> 802.11)

You probably DISabled 802.11, which prevented Wireshark from dissecting 802.11 packets.

(29 Jan '13, 16:59) Guy Harris ♦♦

3 Answers:

0

Have you looked at the Wiki pages on WiFi and WLAN Capturing, particularly the section for Mac OS X?

answered 29 Jan '13, 03:34

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 29 Jan '13, 03:36

I did but could not find the answer. But I must say - most of what was written there - I did not understand

(29 Jan '13, 05:37) NimrodB

0

I think I found the way! :) When double clicking on the interface to use (in my case - e?1) - I chose Display in Monitor Mode (or something like that) Then I choose to use 802.11 on the item that used to be gray.

and that's it - I now see WLAN packets!

(Wireshark removes most of the packet which is a shame but... that is still something) :)

answered 29 Jan '13, 09:41

NimrodB's gravatar image

NimrodB
1112
accept rate: 0%

Yes, on OS X you have to be in monitor mode in order to see non-data 802.11 packets; when not in monitor mode, only data packets are captured, and they have fake Ethernet headers.

Wireshark probably isn't removing most of the packet; in monitor mode, it captures packets other than packets to and from your machine, and doesn't supply decrypted packets. If you're on a WEP or WPA/WPA2 network, you'll need to supply the network key and capture the initial setup packets; see How To Decrypt 802.11.

(29 Jan '13, 16:57) Guy Harris ♦♦

I looked at beacons from my AP and most of the data is not there. (Beacons are not encrypted) That is why I think it removes/do not display all the data.

If it's something in the Wireshark preferences - please let me know how to fix it.

thanks.

(29 Jan '13, 23:36) NimrodB

Try capturing with tcpdump (to capture in monitor mode, use the -I (capital I) flag in OS X 10.6 and later, and do "tcpdump -L" and then choose one of the 802.11 flavors from that list and use it with the -y flag in 10.5), using "-i en1" (if the interface is en1) for all instances (including "tcpdump -L"), and, for the capture instance, using "-s 0" and "-w {pathname to file}".

Then try opening the file tcpdump wrote to with Wireshark.

If you see the same results, as I suspect you will, it is NOT a problem with Wireshark, it's probably a problem with your Wi-Fi adapter or the driver.

(30 Jan '13, 00:10) Guy Harris ♦♦

0

I think I understand what I see - for ex. - the Beacon: The Wireshark does read all the data - but it does not understand some of it. All the InfoElements sections he sees as DATA. Is there a way for him (Wireshark) to learn/know from the AP type/name the order of the data and the IEs? For ex. Cisco AP - the IE order is xyz; and TP AP the order is yzx...?

answered 30 Jan '13, 06:41

NimrodB's gravatar image

NimrodB
1112
accept rate: 0%