This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Packet Source and Destination when in Monitor Mode

0

Hi, probably a n00b question, but I can't find an answer to it.

I have my Wireshark instaled on Ubuntu within VmWare Workstation. I activated the monitor mode on mon0 with airmon-ng. When I'm listening on that interface (mon0) all I can see is 802.11 protocol and Source/Destination addresses are not displayed as regular IP addresses so I can't figure out where does traffic originated from and where is it going (no IP information).

Is it possible to somehow get frames with their source and destination IP addresses?

Thanks for any help.

asked 21 Jul '13, 02:25

Mate%20Strgacic's gravatar image

Mate Strgacic
11224
accept rate: 0%


One Answer:

0

On a protected network (one using WEP or WPA/WPA2), the packets are encrypted (the whole point of protected networks is to make it hard to sniff traffic on them!), and, when captured in monitor mode, what's captured is the encrypted data. You will have to configure Wireshark to decrypt the traffic and, for WPA/WPA2 networks, for each machine whose traffic you want to decrypt, you will need to capture the initial handshake done when the machine joins the network (so you might have to turn your own, and other machines', Wi-FI interfaces off and on again, or put them to sleep and wake them up again, to force them to re-join the network).

answered 21 Jul '13, 12:43

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thank you very much. That's exactly the info I was looking for.

(22 Jul '13, 07:58) Mate Strgacic

@ Mate Strgacic Your "answer" has been converted to a comment as that's how this site works. Please read the FAQ for more information.

Also, if an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. The FAQ also has more information on this.

(22 Jul '13, 08:08) grahamb ♦