This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am using linux with airmon-ng. When I sniff in promiscuous mode I can only decrypt packets outgoing from sniffed devices (I can decrypt http requests but not resonses). When in monitor mode I can decrypt everything. I am very curious what is the cause.

I am attaching dump from Wireshark ESSID:OpenWrt WPA-PWD:test_network https://www.dropbox.com/s/c43j0pr87x991ae/weird_packets.pcapng?dl=0 Sniffed device:10.11.11.165 My laptop:10.11.11.129

asked 27 Dec '14, 10:52

Sewci0's gravatar image

Sewci0
11224
accept rate: 0%

edited 27 Dec '14, 11:24

was that capture file taken in monitor mode or promiscuous mode?

(27 Dec '14, 11:13) Kurt Knochner ♦

In promiscuous mode. In monitor mode everything is working perfectly.

(27 Dec '14, 11:14) Sewci0

what's the mac address of your laptop and the other (sniffed) device?

(27 Dec '14, 11:15) Kurt Knochner ♦

Laptop: 64:5a:04:64:36:88 Sniffed device: B4:18:D1:A6:0B:35 AP: 90:F6:52:5D:28:66

(27 Dec '14, 11:21) Sewci0

If I select the option "Ignore the protection bit: Yes - with IV", I can decrypt your capture file and I'm able to see traffic from 10.11.12.129 (you posted the wrong IP address - 10.11.11.129) and also a broadcast from 10.11.12.165.

alt text

Regards
Kurt

permanent link

answered 27 Dec '14, 12:13

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 27 Dec '14, 12:14

Are you able to decrypt packets going to 10.11.12.165 (http responses)?

(27 Dec '14, 12:19) Sewci0

I can only see a single frame (#423), which is a broadcast to 224.0.0.251.

If you wonder why, please see the comments on promiscuous mode here:

http://wiki.wireshark.org/CaptureSetup/WLAN#Monitor_mode

To reliably be able to capture and decrypt the whole traffic, you should use monitor mode.

(27 Dec '14, 12:26) Kurt Knochner ♦

I can only see a single frame (#423), which is a broadcast to 224.0.0.251.

Just out of curious. How those packets affect capturing? Why are they important?

(27 Dec '14, 12:40) Sewci0

I'm sorry, can you please add more information? Which frames are you referring to?

(27 Dec '14, 12:57) Kurt Knochner ♦

You said that you only see one frame #423 I am curious why you choose this frame while I was asking about frames going from router to sniffed device for example #503. It seams like packets going from device to router are being properly decrypted while those coming from router to device aren't.

(27 Dec '14, 13:18) Sewci0

You said that you only see one frame #423 I am curious why you choose this frame

because you mentioned the IP address: 10.11.12.165

(30 Dec '14, 03:48) Kurt Knochner ♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×165
×76
×73
×36

question asked: 27 Dec '14, 10:52

question was seen: 1,992 times

last updated: 30 Dec '14, 03:48

p​o​w​e​r​e​d by O​S​Q​A