This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wifi sniffing only outgoing packets

0

When I am setting my wifi card in monitor mode and disconnecting it from wifi I am able to sniff every packet coming in and out from my tablet (http requests and responses) but when I connect to network while sniffing. I am only able to sniff packets coming out of my tablet (http requsests). I am very curious what might be the cause of this.

Thanks in advance.

asked 26 Dec '14, 07:46

Sewci0's gravatar image

Sewci0
11224
accept rate: 0%

Are you doing the capturing on your tablet or on some other machine? What OS is the machine doing the capturing running? How are you putting it in monitor mode? What software are you using to capture the traffic?

(26 Dec '14, 16:56) Guy Harris ♦♦

I am sniffing packets from my tablet using wireshark on my laptop running Linux. When I enable monitor mode using airmon and disconnect from my AP (on a laptop) I am able to sniff and decrypt every incoming and outgoing packet from my tablet. But when I run the airmon and connect to AP on my laptop I am only able to see packets outgoing from my tablet. That means that I see http requests but I can't see http responses. I think that the problem might be in decrypting because when I turn off encryption on my AP I was able to sniff incoming and outgoing packets while being connected to the AP.

(26 Dec '14, 17:09) Sewci0

But when I run the airmon and connect to AP on my laptop I am only able to see packets outgoing from my tablet.

I.e., when you're running airmon on your laptop, and the laptop is connected to the AP, it sees packets from your tablet to the AP but not packets from your AP to the tablet? Does it see traffic from your laptop to the AP, and does it see traffic from the AP to your laptop?

I think that the problem might be in decrypting because when I turn off encryption on my AP I was able to sniff incoming and outgoing packets while being connected to the AP.

Is it, at the link layer (i.e., look at the MAC addresses), seeing traffic from your table to the AP - even if they just show up as "802.11" packets, not HTTP packets?

(26 Dec '14, 17:20) Guy Harris ♦♦

I.e., when you're running airmon on your laptop, and the laptop is connected to the AP, it sees packets from your tablet to the AP but not packets from your AP to the tablet?

I can see packets from my router to my tablet but every of them is LLC. It seams that instead of http responses I get those weird LLC packets.

Does it see traffic from your laptop to the AP, and does it see traffic from the AP to your laptop?

Yes, traffic from my laptop is being properly decrypted both ways.

Is it, at the link layer (i.e., look at the MAC addresses), seeing traffic from your table to the AP - even if they just show up as "802.11" packets, not HTTP packets?

From my tablet to AP packet are being sniffed and decrypted but packet from AP to tablet are being shown as LLC packets.

I am attaching dump from Wireshark ESSID:OpenWrt WPA-PWD:test_network https://www.dropbox.com/s/c43j0pr87x991ae/weird_packets.pcapng?dl=0 My tablet:10.11.11. My laptop:10.11.11.129

(27 Dec '14, 03:27) Sewci0

I've checked once more and I realized that I had marked "Ignore the VI protection" bit now those packets are ordinary 802.11 but encrypted. Still I don't know how to decrypt them.

(27 Dec '14, 03:54) Sewci0

One Answer:

0

On a protected network, a monitor mode capture will see encrypted packets. See the Wireshark Wiki "How to decrypt 802.11" page for information on how to decrypt them.

answered 27 Dec '14, 10:53

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I know how to decrypt packets, I just can't decrypt packets incoming to my sniffed device using promiscuous mode.

(27 Dec '14, 11:01) Sewci0