This is a static archive of our old Q&A Site. Please post any new questions and answers at

Unable to capture wireless traffic on monitor mode on Ubuntu 10.04 version


I have been trying to capture the wireless traffic using old wireless cards (Trendnet, TP-Link) etc. But am unable to capture the traffic other than my own. Can someone please guide as to how to set up the wireshark to capture on monitor mode (including how to set up the wireless card). I have tried implementing suggestion from various bogs and forums and am yet to get the required results. I am using a Belkin wireless router and enabled the WPA-WPA2 personal. and have set it on a channel.

asked 23 Oct '13, 23:53

Kartzoft's gravatar image

accept rate: 0%

edited 15 Sep '14, 22:35

Guy%20Harris's gravatar image

Guy Harris ♦♦

One Answer:


Please try the following steps:

Run the following commands

ifconfig -a

Do you see a wlan0 or wlan1 interface?

If no, your wireless card is not recognized by your kernel and there is nothing Wireshark can do about it. Stop here and ask the the people in the user forum of your Linux distribution (Ubuntu, Fedora, etc.) how to add a working driver for your wireless card.

If you do see wlan0/1, proceed with

sudo airmon-ng start wlan0


sudo airmon-ng start wlan1

depending on which wireless interface you want to capture. That command should report the following message:

monitor mode enabled on mon0

Now, capture on mon0 with tcpdump and/or dumpcap.

sudo tcpdump -ni mon0 -w /var/tmp/wlan.pcap


sudo dumpcap -ni mon0 -w /var/tmp/wlan.pcap

Then open that file with Wireshark

wireshark -nr /var/tmp/wlan.pcap

If any of the above does not work, please post the exact error message as a comment to my answer.


answered 28 Oct '13, 08:29

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

Hey Kurt,

Thanks a lot. Am able to capture now. :)

(29 Oct '13, 06:10) Kartzoft

Hey Kurt,

After capturing the traffic, how do I do a wireless decryption by entering the keys?

(29 Oct '13, 21:16) Kartzoft
(30 Oct '13, 00:08) Kurt Knochner ♦

Hey Kurt,

After the decryption am still unable to view the IP address. I followed the steps in the wiki. Is there any other alternatives? However when I switch off the security mode of my WLAN (Belkin) and capture am able to see the proper trace along with the IPs.

(20 Nov '13, 22:13) Kartzoft

One part of the page to which Kurt was referring that's a bit obscure is

WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic.

In order to capture that handshake, you might have to disconnect all the hosts you care about from the network and re-connect them; for devices that can sleep and wake up, putting them to sleep and waking them up (closing and reopening the lid on a laptop, "turning off" a smartphone or tablet and turning it back on again), and, for other devices, turning off the Wi-Fi and turning it back on again, might do the job.

Yes, this is a pain, but, remember, the whole point of WEP and WPA/WPA2 is to make it hard to sniff a wireless network (i.e., to make it hard for others to snoop your traffic, but that also makes it hard for you to snoop your own traffic). A side-effect of making your network more secure against other people is that it's also more secure against you....

(21 Nov '13, 00:42) Guy Harris ♦♦

I have no error, but is captured only my traffic (where stands the program) how do whatever and other notebooks seen traffic?


sudo airmon-ng start wlan 1

sudo dumpcap -ni mon0 -w /var/tmp/wlan.pcap

wireshark -nr /var/tmp/wlan.pcap

after opening only seen my traffic

(28 Nov '13, 21:05) Sokolov Andrey

Hi Kurt Knochner and Guy Harris,

My problem is I cannot decrypt the captured data using WireShark, even though I captured full 4 EAPOL handshakes.

I posted my problem here, and I need your helps

Can you look for a while and give me some direction to solve the problem

Look forward to hearing you,

Thanks, --Will

(25 May '17, 21:26) dknovo


Please don't cross post on another very old question, it won't help get answers to your issue.

(26 May '17, 02:04) grahamb ♦
showing 5 of 8 show 3 more comments