This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark can’t get the ip.src when capture packets on wlan

hello! Recently, I try to capture packets with tshark. I execute airmon-ng start wlan0 to set my wireless network card to monitor mode, and then excute tshark -i mon0 -Tfields -e frame.time_relative -e frame.len -e radiotap.datarate -e radiotap.dbm_antsignal -e ip.src -e ip.dst -Eseparator=# >channel_6.txt -a duration:10& , but ip.src and ip.dst don't display anything. I try using -V, and find that IP was not been parsed. If I don't set my wireless network card, radiotap don't display anything, but can get the ip.src. Please help me and sorry for my poor English！ Thanks again!

capture wlan tshark

asked 25 Sep '13, 09:16

btk913
1●1●1●2
accept rate: 0%

edited 25 Sep '13, 09:49

grahamb ♦
19.8k●3●30●206

One Answer:

monitor mode ... ip.src and ip.dst don't display anything

If your network is "protected", meaning it's using WEP or WPA/WPA2, the traffic on it is encrypted and, if you capture in monitor mode, the packets you get will not have been decrypted. You will have to configure TShark to decrypt it; see the Wireshark Wiki "how to decrypt 802.11" page. If you configure Wireshark, you've also configured TShark, as the configuration information is used by both of them. You could also configure that information by editing the Wireshark preferences file, but that's a more complicated process. Other parts of that, such as the requirement to capture the initial EAPOL handshake, also apply, so you may need to disconnect machines from the network and then reconnect them, or put them to sleep and wake them up, to force the handshake to occur. This even applies to the machine running TShark if you want to capture and decrypt its traffic.

answered 25 Sep '13, 16:40

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%

This is my first time that get right answer from forum. Thank you so much. I will try this tonight. Thanks again!

(25 Sep '13, 18:29) btk913