This is our old Q&A Site. Please post any new questions and answers at

I am using linux with airmon-ng. When I sniff in promiscuous mode I can only decrypt packets outgoing from sniffed devices (I can decrypt http requests but not resonses). When in monitor mode I can decrypt everything. I am very curious what is the cause.

I am attaching dump from Wireshark ESSID:OpenWrt WPA-PWD:test_network Sniffed device: My laptop:

asked 27 Dec '14, 10:52

Sewci0's gravatar image

accept rate: 0%

edited 27 Dec '14, 11:24

was that capture file taken in monitor mode or promiscuous mode?

(27 Dec '14, 11:13) Kurt Knochner ♦

In promiscuous mode. In monitor mode everything is working perfectly.

(27 Dec '14, 11:14) Sewci0

what's the mac address of your laptop and the other (sniffed) device?

(27 Dec '14, 11:15) Kurt Knochner ♦

Laptop: 64:5a:04:64:36:88 Sniffed device: B4:18:D1:A6:0B:35 AP: 90:F6:52:5D:28:66

(27 Dec '14, 11:21) Sewci0

If I select the option "Ignore the protection bit: Yes - with IV", I can decrypt your capture file and I'm able to see traffic from (you posted the wrong IP address - and also a broadcast from

alt text


permanent link

answered 27 Dec '14, 12:13

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 27 Dec '14, 12:14

Are you able to decrypt packets going to (http responses)?

(27 Dec '14, 12:19) Sewci0

I can only see a single frame (#423), which is a broadcast to

If you wonder why, please see the comments on promiscuous mode here:

To reliably be able to capture and decrypt the whole traffic, you should use monitor mode.

(27 Dec '14, 12:26) Kurt Knochner ♦

I can only see a single frame (#423), which is a broadcast to

Just out of curious. How those packets affect capturing? Why are they important?

(27 Dec '14, 12:40) Sewci0

I'm sorry, can you please add more information? Which frames are you referring to?

(27 Dec '14, 12:57) Kurt Knochner ♦

You said that you only see one frame #423 I am curious why you choose this frame while I was asking about frames going from router to sniffed device for example #503. It seams like packets going from device to router are being properly decrypted while those coming from router to device aren't.

(27 Dec '14, 13:18) Sewci0

You said that you only see one frame #423 I am curious why you choose this frame

because you mentioned the IP address:

(30 Dec '14, 03:48) Kurt Knochner ♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 27 Dec '14, 10:52

question was seen: 1,869 times

last updated: 30 Dec '14, 03:48

p​o​w​e​r​e​d by O​S​Q​A