This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark not capturing packets promiscuously on WLAN

1

Hi

So I am trying to capture my LAN traffic ( all traffic from all devices on my LAN ) on my Macbook Pro over Wifi.

I have "use promiscuous mode on all interfaces" enabled in capture options. However when I run the capture, I am only able to capture all traffic from my macbook and broadcast packets from all other devices on the LAN.

I have set my router on WPA/WP2 personal mode. I am aware other devices in my LAN will have their traffic encrypted because of this. I don't mind seeing the encrypted traffic , But i still want to capture it. How do I go about doing that ?

Regarding decryption:

I tried capturing all traffic from all devices on my LAN by enabling monitor mode. I understand I need to capture EAPOL handshake of the device I am trying to decrypt. Is this correct ? What happens if I don't capture the EAPOL handshake of my laptop but I do capture the handshake of another device? Does that mean I can decypt the packets of the other device but not of my laptop.? Or do I need EAPOL of both my laptop and the other devices to decrypt anything ?

asked 13 Mar '14, 18:25

Sukhvir%20Notra's gravatar image

Sukhvir Notra
26113
accept rate: 0%

edited 13 Mar '14, 19:29

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


One Answer:

1

As one of the tags you put on your question suggests, you need monitor mode, not promiscuous mode; promiscuous mode doesn't necessarily do anything useful on Wi-Fi adapters.

See the WLAN (802.11) Capture Setup page on the Wireshark Wiki for more details.

As for decryption (which should have been asked in a separate question):

See the How To Decrypt 802.11 page on the Wireshark Wiki.

answered 13 Mar '14, 19:27

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 13 Mar '14, 19:29

Yes I tried using monitor mode. Could you please answer my questions under the " Regarding decryption" heading in my question

(13 Mar '14, 19:29) Sukhvir Notra