I have been trying to capture the wireless traffic using old wireless cards (Trendnet, TP-Link) etc. But am unable to capture the traffic other than my own. Can someone please guide as to how to set up the wireshark to capture on monitor mode (including how to set up the wireless card). I have tried implementing suggestion from various bogs and forums and am yet to get the required results. I am using a Belkin wireless router and enabled the WPA-WPA2 personal. and have set it on a channel. asked 23 Oct '13, 23:53  Kartzoft edited 15 Sep '14, 22:35  Guy Harris ♦♦ |
One Answer:
Please try the following steps: Run the following commands
Do you see a wlan0 or wlan1 interface? If no, your wireless card is not recognized by your kernel and there is nothing Wireshark can do about it. Stop here and ask the the people in the user forum of your Linux distribution (Ubuntu, Fedora, etc.) how to add a working driver for your wireless card. If you do see wlan0/1, proceed with
or
depending on which wireless interface you want to capture. That command should report the following message:
Now, capture on mon0 with tcpdump and/or dumpcap.
or
Then open that file with Wireshark
If any of the above does not work, please post the exact error message as a comment to my answer. Regards answered 28 Oct '13, 08:29  Kurt Knochner ♦ showing 5 of 8 show 3 more comments |
Hey Kurt,
Thanks a lot. Am able to capture now. :)
Hey Kurt,
After capturing the traffic, how do I do a wireless decryption by entering the keys?
as described in the Wiki
Hey Kurt,
After the decryption am still unable to view the IP address. I followed the steps in the wiki. Is there any other alternatives? However when I switch off the security mode of my WLAN (Belkin) and capture am able to see the proper trace along with the IPs.
One part of the page to which Kurt was referring that's a bit obscure is
In order to capture that handshake, you might have to disconnect all the hosts you care about from the network and re-connect them; for devices that can sleep and wake up, putting them to sleep and waking them up (closing and reopening the lid on a laptop, "turning off" a smartphone or tablet and turning it back on again), and, for other devices, turning off the Wi-Fi and turning it back on again, might do the job.
Yes, this is a pain, but, remember, the whole point of WEP and WPA/WPA2 is to make it hard to sniff a wireless network (i.e., to make it hard for others to snoop your traffic, but that also makes it hard for you to snoop your own traffic). A side-effect of making your network more secure against other people is that it's also more secure against you....
I have no error, but is captured only my traffic (where stands the program) how do whatever and other notebooks seen traffic?
step
sudo airmon-ng start wlan 1
sudo dumpcap -ni mon0 -w /var/tmp/wlan.pcap
wireshark -nr /var/tmp/wlan.pcap
after opening only seen my traffic
Hi Kurt Knochner and Guy Harris,
My problem is I cannot decrypt the captured data using WireShark, even though I captured full 4 EAPOL handshakes.
I posted my problem here, and I need your helps
https://ask.wireshark.org/questions/61469/unable-to-decrypt-wifi-data
Can you look for a while and give me some direction to solve the problem
Look forward to hearing you,
Thanks, --Will
@dknovo
Please don't cross post on another very old question, it won't help get answers to your issue.