This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark not showing HTTP protocols

0
1

I've been struggling with this problem for some time now and can't seem to find a solution. Please help!

I'm using wireshark to collect the packets on my WLAN, but I'm not getting any HTTP packets.

The capture device is wlan0 and/or mon0 (depending on whether im using monitor mode) and it doesn't matter if it's set to promiscuous mode, because all I'm getting is DHCPv6, SSDP, LLMNR (and 802.11 when monitor mode is on while using mon0).

Why can't my computer find HTTP protocols with data packets? Please help me :\ I'll be happy to post additional info if needed.

edit: I'm using Kali linux

asked 08 Nov '14, 12:35

whiteiswhite's gravatar image

whiteiswhite
16125
accept rate: 0%

edited 08 Nov '14, 12:42

When you're not in monitor mode, is the machine running Wireshark sending or receiving any HTTP traffic? What happens if you start a Web browser on that machine or use curl to fetch a page from some site?

(08 Nov '14, 20:46) Guy Harris ♦♦

First of all thank you very much for your reply!

When I'm not in monitor mode the machine running Wireshark doesn't receive or send any HTTP traffic. Now that you've mentioned starting a Web browser on that machine I see some HTTP packets being received, where source is the address of the requested website (in this case google.com[173.194.113.67]) and destination IP is the internal IP address of the computer running Wireshark (192.168.x.xx). I'm sorry but I don't understand the "curl to fetch a page from some site" :. I can send you some screenshots if you are willing to help further. Once again thank you very much for the reply!

(09 Nov '14, 13:36) whiteiswhite

One Answer:

1

As I suspected.

If you're not in monitor mode, the Wi-Fi adapter will see only traffic sent to and from your machine. However, that traffic will, if it has been encrypted at the 802.11 layer, have been decrypted by the Wi-Fi adapter. The packets you were seeing were probably mostly broadcast or multicast traffic, which your machine would see even if it weren't sending any requests out on the network.

If you are in monitor mode, the Wi-Fi adapter will see whatever traffic its radio receives; however, unless that traffic is to or from your machine, it will, if has been encrypted at the 802.11 layer, not be decrypted by the adapter (and I'm not sure whether traffic to and from the host will be decrypted).

A "protected" Wi-Fi network is a network that's using WEP or WPA/WPA2; on that network, traffic is encrypted, in a deliberate attempt to make traffic sniffing difficult. You're probably capturing on a protected network; the 802.11 header isn't encrypted, so Wireshark is able to dissect the encrypted traffic as 802.11 traffic, but the payload is encrypted, so Wireshark can't even dissect it as IP traffic, much less TCP or HTTP, so it shows up as "802.11".

Wireshark can decrypt 802.11 traffic, if you give it the password for the network and, for WPA/WPA2, if, for each host whose traffic it wants to decrypt, it sees the initial "EAPOL handshake" between the host and the access point. See the Wireshark page on decrypting 802.11 for details.

("use curl to fetch a page from some site" means to use the curl command-line utility to fetch a page from an HTTP site; that might be more convenient than installing a Web browser - given that Kali Linux is a distribution intended for use on machines used for testing network security, it might have a limited set of tools such as Web browsers. However, as installed on your machine, it apparently does have a Web browser, so you could do the tests I wanted done without installing a browser, and, when you did so, it supported my guess as to what was happening. You don't need to worry about curl.)

answered 09 Nov '14, 14:08

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 09 Nov '14, 14:09