This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can only see multicast and local traffic

0

I have installed Wireshark on a Macmini with osx 10.6. When I capture, the trafic only consists of broadcasts and local trafic. I cant see http-trafic of other computers in the wireless-net. I have choosen the airport interface and I have choosen ethernet ( If I choose any of the 802 I get nothing ).

Do I have to buy another interface? ( A usb domngle? ) cause Apples own doesnt allow this traffic or what?

/ Mid

asked 28 Feb '11, 22:51

midmus's gravatar image

midmus
1111
accept rate: 0%


One Answer:

0

Even in promiscuous mode, if you're not in monitor mode, the adapter will probably receive only unicast traffic to your machine and broadcast/multicast traffic. In monitor mode, it should see other traffic. If you're offered a choice of Ethernet headers or 802.11 headers, you're presumably running a version of Wireshark that doesn't handle the new "turn on monitor mode" APIs, in which case the way you turn on monitor mode is to select 802.11 headers - in monitor mode, I've been able to capture traffic that's neither to my machine nor from my machine nor broadcast/multicast.

Now, be aware that if you're on a WEP or WPA network, you will not be able to see that traffic as anything other than 802.11 packets without the network password - you won't even be able to see the IP headers! - and, on a WPA network, you won't be able to see it as anything other than 802.11 even with the password unless you've captured the setup packets. Are you not seeing any packets in monitor mode, or are you seeing lots of packets that are reported as just 802.11 data packets?

(This is not Mac-specific, by the way.)

answered 01 Mar '11, 05:39

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanx for the answer, I get you. It's WShark version 1.4.3 for Mac OSX I'm using. So I am right that it is the adapter that gives me the restriction? As it should see all traffic on a wireless net right? I mean a wireless net isnt switched :) / Mid

(02 Mar '11, 02:14) midmus

What do you mean by "see" in "see all traffic" and "get nothing" in "If I choose any of the 802 I get nothing"? Do you mean NO packets show up in Wireshark's packet list when you capture, or do you mean you don't see HTTP traffic? If it's the latter, the adapter is doing the right thing, you're probably on a WEP or WPA network and haven't supplied the password for the network.

(02 Mar '11, 10:44) Guy Harris ♦♦