This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can’t capture data packets using Airpcap

0

I’m trying to use AirPCap (Classic) with WireShark Version 1.12.5 (v1.12.5-0-g5819e5b from master-1.12) 64 bit on Win7 64 bit with WinPCap 4.1.3 to capture packets on a 2.4GHz Wireless-G network (Channel 6) encrypted with a known WPA-PSK key.

The problem is that I’m seeing hardly any data packets (just control and management packets) even though the two devices I’m interested in are clearly exchanging lots of data. Neither device is the capture PC (a recent vintage HP laptop running on AC power.)

I’m using thefollowing settings although I’ve tried others with no luck

  • promiscuous mode: on
  • Packet size filter: off
  • buffer size: 2 megabytes
  • Channel 2437 [BG 6]
  • offset 0
  • Capture type: 802.11 + Radio
  • Include 803.11 FCS in Frames: on
  • FCS Filter: All
  • frames Decryption type: Wireshark
  • Decryption keys: 1 key, Type: WPA-PWD, Key, SSID: as appropriate for the network

The capture was started with a Nexus 9 tablet with Wifi disabled and then it was enabled to ensure that the capture includes the EAPOL packets. Display filter: “eapol” clearly include the four EAPOL packets exchanged between device Htc_07:bc:f9 (The Nexus 9 tablet) and Netgear_bd_e8:6a (The Netgear router acting as the AP) However, filtering with “ip” shows only 3 bogus (corrupted) packets. Using filter “wlan.addr == b4:ce:f6:07:bc:f9” (the MAC address of the Nexus 9) show a bunch of IEEE 802.11 control packets and a few encrypted IP Multicast packets but they are not decrypted using the WPA key.

Using a capture filter such as “wlan host b4:ce:f6:07:bc:f9” does not help either.

What am I doing wrong?

asked 04 Jun '15, 10:53

Gengen's gravatar image

Gengen
6224
accept rate: 0%

edited 04 Jun '15, 10:58

Have you enabled the monitor mode for the device? I can't see it. I think AirPcap can not log on a WLAN network. But I have no experience with the AirPcap itself.

(04 Jun '15, 17:30) Christian_R

There is no "monitor mode" that I can find with the AirPCap driver. I do set promiscuous mode and it's supposed to work but really, it does not work for me.

(04 Jun '15, 19:05) Gengen

Are you trying to capture 11n or 11ac traffic? If your WLAN is using 40MHz or 80MHz channel bandwidth, but your WiFi adapter is set to capture only 20 MHz traffic, you will only see Control and Management frames.

(07 Jun '15, 17:52) Amato_C