Wireless showing as Ethernet

Question

Hi, I've been struggling with this for days now, I have installed Backtrack 5, I have Atheros AR9287 wireless card. But whenever I open Wireshark to sniff the wireless network, I am able to see only my own traffic, or traffic targeted to the whole network *.255 only. I've noticed that whenever I try to select the capture interface, wlan0 (which is the wireless adapter) shows as ETHERNET, and I don't have 802.11 option in the drop down list...I've been searching for days now, and couldn't find any useful answer. I really do appreciate your help!

Answer 1

2

Basics things to try with that problem:

look in 'iwconfig' if your wireless card is recognized at all within BT5

Use airmon-ng start wlan0 to bring your wireless NIC into monitor mode
Since BT4 there are many cards coming up with a new "virtual" interface commonly called 'mon0'
Try sniffing with the mon0 interface now
If channel hopping is a problem, add the -c <channel number=""> flag to airmon-ng to specify the channel you're interedsted in

Apart from that, there are some issues with BT5 and wireless drivers atm - i would ask you to stick to the official BackTrack Forums for more help with that. There are several posts that might bring you forward.

permanent link

answered 27 May '11, 14:55

Landi
2.3k●5●14●42
accept rate: 28%

Thanks for your reply, I actually tried that before: airmon-ng start monitor wlan0 -c 6

But when I open wireshark, choose mon0 as my interface, I sniff as if I'm not on the network...everything is encrypted, no IP addresses.

Any other thoughts ?

(28 May '11, 01:49) Thirdium

Did airmon-ng respond that your chipset was successfully set into monitor mode ?

Try using airodump-ng -c 6 -w /tmp/tracefile, maybe wireshark tries enabling monitor mode as well which might interfere with airmon...

(28 May '11, 03:28) Landi

yes it does, here is the output:

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID Name
1263    dhclient3
1675    dhclient3
10852   wpa_supplicant
10862   dhclient
10900   dhclient
Process with PID 1675 (dhclient3) is running on interface wlan0
Process with PID 10852 (wpa_supplicant) is running on interface wlan0
Process with PID 10900 (dhclient) is running on interface wlan0

Interface   Chipset     Driver

wlan0       Atheros AR9287  ath9k - [phy0]/usr/local/sbin/airmon-ng: line 598: [: -c: integer expression expected

                (monitor mode enabled on mon0)

(28 May '11, 15:33) Thirdium

Interface Chipset Driver

wlan0       Atheros AR9287  ath9k - [phy0]/usr/local/sbin/airmon-ng: line 598: [: -c: integer expression expected

                (monitor mode enabled on mon0)

(28 May '11, 15:33) Thirdium

This output:

/usr/local/sbin/airmon-ng: line 598: [: -c: integer expression expected

is obviously some error, because -c is not assigned in airmon... once again, try the following syntax

'airmon-ng start wlan0 6'

Then mon0 should be your virtuel NIC on 2.4GHz channel 6, then go for

'airodump-ng -w /tmp/tracefile mon0'

(29 May '11, 05:38) Landi

1

If your network is using WEP or WPA, then, when you capture in monitor mode, you will see the raw packets on the network - which will be encrypted. To decrypt it, see the How To Decrypt 802.11 page in the Wireshark wiki.

(31 May '11, 00:03) Guy Harris ♦♦

showing 5 of 6 show 1 more comments

Answer 2

0

You won't see the 802.11 layer unless you enable monitor mode on your WiFi card. Without it, you will only see the ethernet and further layers, but not the radio layer.

On backtrack you can use the airmon-ng utility to enable monitor mode if I remember correctly (has been a while I used it).

permanent link

answered 27 May '11, 14:47

Jasper ♦♦
23.8k●5●51●284
accept rate: 18%

Wireless showing as Ethernet

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions