This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

mac capture monitor-mode

0

I have a network, which has 2 nodes (a phone, a MacBook) both are connected to same wireless network, I know the SSID and password for the wireless network

password: mypassword
ssid: myssid
security: WPA2 Personal

I am currently running Wireshark on MacBook with following settings:

Edit > Preference > Capture > Interfaces > Edit

default buffer size `2048MiB`
default link layer header type: 802.11
monitor mode: checked

and to decrypt traffic under

Edit > Preference > Protocols > IEEE 802.11

Reassemble fragmented 802.11 datagram packets: checked
ignore vendor specific HT elements: unchecked
call subredisetor for retransmitted 802.11 frames: checked
assume packets have FCS: unchecked
Ignore the protection bit: Yes with IV
Enable decryption: checked
decryption keys: 
     key type: wpa-pwd
     key: mypassword:myssid

I start it in capture mode: I make a http call to foobar.com from my phone, and I expected wireshark to pick it up and display in sniffed data, I don't see it there.

However, if I make same HTTP call to foobar.com from my mac, I can see it being listed.

Edit:

After that I see EAPOL handshake captured

enter image description here

but still it is not able to decrypt packets captured for that source (Lg_Electr_41), also attached protocol preference

enter image description here

good capture of EAPOL

alt text

asked 27 Feb '15, 10:59

annonymous's gravatar image

annonymous
11116
accept rate: 0%

edited 01 Mar '15, 21:34

One Answer:

1

Could it be that you forget to disconnect the phone after you started Wireshark? Wireshark can only decrypt the traffic of any other device in the wireless network if Wireshark could sniff the EAPOL packets of this device. In the eapol packets the session key of the device (your phone e.g.) and the AP is handled. If your phone is connected with the AP and then you start Wireshark after, there is no way to read the traffic you will only be able to capture the raw and encrypted packets.

So if this was the case (that no eapol packets were sniffed), disconnect your phone, start wireshark, connect your phone to the AP, look if Wireshark got the 4 eapol packets (you can filter them), and only then you can read the traffic of your phone.

answered 28 Feb '15, 23:34

franc's gravatar image

franc
96349
accept rate: 40%

Thanks for your reply franc, I was able to capture EAPOL packets, still it is not able to decrypt rest of the packets, please see edit in question

(01 Mar '15, 15:26) annonymous
1

Did you see all 4 EAPOL Handshake packets? Also the "Malformed Packet" irritates me.

(01 Mar '15, 16:14) franc

Yes I saw 5 one of them was malformed, it was able to capture all 4 good packets

(01 Mar '15, 19:11) annonymous
1

In monitor mode, even packets with a bad FCS are handed to the host, and perhaps one of the EAPOL packets was damaged by the microwave oven or something such as that. :-) If the malformed packet shows a bad FCS, that's probably what happened.

(01 Mar '15, 20:18) Guy Harris ♦♦

@Guy Thanks a lot for your help across stackexchange and in here - You are the man, This time I turned off microwave, also asked neighbors to turned off theirs ;) - recaptured EAPOL and updated screenshots

(01 Mar '15, 21:27) annonymous

@Guy I verified on different network, it works there with same setup, only thing I see difference is security type is : wpa2 psk, and in the network where I was trying it was: WPA2 Personal, reported by client, not sure what is the difference and does it actually help

(02 Mar '15, 12:09) annonymous
1

In your edited screenshot I only see one eapol: "Message 1 of 4" but not the rest of the four neccessary eapol packets. Means that you need 1 of 4, 2 of 4, 3 of 4 and 4 of 4 to have captured all needed eapol packets. Thats how it shows in my wireshark on my mac, if i successfully capture the eapol.

(02 Mar '15, 12:17) franc
1

At least according to the Wikipedia, WPA-Personal and WPA-PSK are the same thing.

(02 Mar '15, 12:21) Guy Harris ♦♦

@franc I will try to capture it again and update here, thanks for your help Guy, franc, could you brief me about how EAPOL thing plays part in encryption between router and node ?

(02 Mar '15, 13:50) annonymous
1

This is maybe a good explanation: http://en.wikipedia.org/wiki/IEEE_802.1X#Typical_authentication_progression

(02 Mar '15, 15:42) franc
1

And, for details on the 4-way EAPOL handshake, see RFC 4764 - that's an RFC, so perhaps not as good a tutorial as you might like, so see also this StackExchange question and its answers.

(02 Mar '15, 16:02) Guy Harris ♦♦

@Guy another difference I noted was, my phone gets connected to 2.4Ghz and my Mac gets connected over 5Ghz band, does it make difference ?

(02 Mar '15, 22:24) annonymous

forced phone to join 5Ghz and still it is not able to decrypt HTTP protocols, some of the packets sourced from phone are decrypted with protocol=SSDP and it is making HTTP request to some where (not to foobar.com), another difference noted was: phone was listed under mode : 802.11ac in router's web console, and mac was listed under 802.11an, both at 5Ghz

(02 Mar '15, 23:01) annonymous
1

another difference I noted was, my phone gets connected to 2.4Ghz and my Mac gets connected over 5Ghz band, does it make difference

Yes, just as if you tune your FM radio to 89.7 MHz, it's not going to play a radio station broadcasting at 94.1 MHz. A Wi-Fi adapter includes a radio, and it will only receive signals in the right frequency band. I don't know whether any Wi-Fi adapters exist that can receive on more than one band simultaneously, capturing packets on both the 2.4 GHz and the 5 GHz band.

(03 Mar '15, 14:54) Guy Harris ♦♦

ok and do you think 802.11ac and 802.11an makes difference ?

(03 Mar '15, 15:01) annonymous

Don't force your phone to join the 5 GHz channel, but force your Mac to join the 2.4 Wifi Channels, let them both traffic under 2.4 GHz. Maybe Wireshark doesn't work well on the 5 GHz, but it is working on 2.4 GHz so test this first.

(03 Mar '15, 15:04) franc
1

Wireshark doesn't care about 2.4 GHz vs. 5 GHz, so that's not the issue.

However, the adapter may care about 802.11ac vs. 802.11a/802.11n. 802.11ac only operates in the 5 GHz band, as does 802.11a; 802.11n can operate in either the 2.4 GHz or 5 GHz band.

Hardware that supports 802.11n but not 802.11ac will not be able to receive any 802.11ac traffic and thus will not be able to sniff any 802.11ac traffic; I don't know whether your MacBook can support 802.11ac or not (according to the Wikipedia MacBook Pro article, 11ac support first showed up in October 2013, so earlier MacBook Pros wouldn't support it, and the MacBook Air article indicates that 11ac support also showed up in mid-2013).

Switching to the 2.4 MHz band should, it appears, force the phone to use 802.11n, so that might allow the Mac to receive its traffic.

(03 Mar '15, 16:04) Guy Harris ♦♦

I will give it a test from longer distance (to force mac use 2.4Ghz) and see if it switches to use ac, and update you guys soon, thank you so much again

(03 Mar '15, 20:00) annonymous
1

sorry i correcct it, mac book is on ac, phone is on an, both at 5 Ghz

That comment appears to have disappeared, but, if it's true that the MacBook was on 802.11ac and the phone was on 802.11a/802.11n (there's no "802.11an"; "an" refers to 802.11a and 802.11n, the first of which uses only the 5 GHz band and the latter of which can use either the 2.4 GHz or the 5 GHz band), then the MacBook should be able to capture the phone's traffic as long as they're both using the same band and channel within that band.

If the phone was using ac and the MacBook was using a or n, then the MacBook probably wouldn't be able to capture the phone's traffic.

(03 Mar '15, 21:41) Guy Harris ♦♦

I couldn't force switch mac to use particular protocol, it is working on another network, I assume the culprit is only this protocol difference, I will mark it as accepted, Thanks a lot for your help @Guy @franc

(05 Mar '15, 11:00) annonymous
showing 5 of 20 show 15 more comments