I installed ubuntu 14.04 on 3 PCs, and use "apt-get install wireshark" to installed wireshark on them. They all work under monitor mode, but only one of them (desktop) can capture RTP packets, the other two laptops can sniffer other packets, but except RTP packets.......... why...? asked 24 Apr '15, 19:31 DiveDave |
One Answer:
Find the root course: the wifi channel results in this problem. When the problem happened, my router wifi is using channel 6. I didn't noticed it. By accident I switch to another router, which uses channel 1. And I found that two laptop captured RTP packets, but the desktop stopped. I tried all 11 channels, 1 & 3 are compatible for two laptops, 2 & 6 compatible for desktop. And I didn't find one channel works for all three computers. Finally I confirmed that all of them can connect to the wifi signal on either 1&3 or 2&6 to access internet. So that means when doing sniffing, probably wireless network card cannot work on every channel, just part of all channels. answered 24 Apr '15, 23:26 DiveDave 1 Wi-Fi adapters are generally tuned to a particular channel; I'm not sure how good they are at picking up packets from adjacent channels (being good at that would, in general, probably not be considered a feature - you don't want interference from adjacent channels). Your adapters on both the laptops and the desktop should be able to use any channel in the set of channels supported by the 802.11 mode the adapter is using (b, g, a, n, ac). They might currently be configured to use different channels. (24 Apr '15, 23:39) Guy Harris ♦♦ that makes sense. Is it possible to configure specific channel by manual under Ubuntu? (24 Apr '15, 23:41) DiveDave 1 If the "View" menu has a "Wireless Toolbar" item, try selecting it; if that works, you'll have a toolbar that should, in theory, let you select the channel to capture on. (24 Apr '15, 23:44) Guy Harris ♦♦ Didn't find it..., but thank you very much, will notice this, maybe can find it someday :) Happy weekend~ (24 Apr '15, 23:48) DiveDave |
By "other packets" do you mean "IP packets" (so that Wireshark shows them as IP, perhaps with TCP or UDP or...) or do you mean "802.11 packets" (which probably means they're encrypted with WEP or WPA/WPA2 and not being decrypted by Wireshark)?
Thanks. I can see ip address parsed and protocol types parsed (it's a test wifi, so there is no password). I've already figured out the root course, see below: