This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark/tcpdump doesn’t capture all packets on WiFi

0

Hello,

i've got a strange problem when I´m capturning packets in my open WiFi-Network, if I set the WIFI-Card in Monitor-Mode and start Wireshark or tcpdump many beacons and other 802.11 stuff is appears. Also some HTTP traffic is showed but i´m missing important packets which does not appear in wireshark..

I guess my WiFi Card is too slow for all Packets flying arround in the Network am I right?

In also tried promiscous mode, but in this mode no packets are captured, i guess my wifi card does not support this mode.

NIC: IBM Thinkpad 11a/b/g AR5BXB6 OS: KALI Linux x86 (newest)

Please help me with suggestions or answers why i'm not recieving all packets..

asked 11 Aug '15, 17:06

eizi's gravatar image

eizi
6224
accept rate: 0%

edited 12 Aug '15, 03:29

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

1

That depends. Your card only supports 11a/b/g. Other traffic may be transmitted using 11n or 11ac. In that case, you could never capture those packets.

If you are able to capture Beacons from the WiFi network that you are associted with, then look to see if there are any HT or VHT information elements. If you see them, then the AP is configured to support technoligies that your adapter cannot.

answered 11 Aug '15, 18:11

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

Thank you for the answer!

What are HT or VHT elements?

Im capturing packets on the local machine which send/recieves the packets and I capture the packets with kali Linux in monitor mode, where many sent http packets from the local machine are missing/not recieved.

So i don´t think it is a problem with the wifi standards of the wifi stick because some http packets are captured from the adapter..am I right? Or is it possible that some http packets are sent with a/b/g standard and others with 11n which the adapter cant see?

(11 Aug '15, 18:24) eizi

HT and VHT elements are located within Beacon frames sent by the AP. You should see frames that are labeled as Beacons within your capture. Look at the Info field to see the frames labeled as Beacons. Then double click a Beacon frame to view the contents.

In your original post you mentioned that the adapter was configured in monitor mode. This will capture all packets of all SSID's from the currently selected channel. Are you certain that you are only observing traffic to/from your adapter?

(11 Aug '15, 18:56) Amato_C

Ok,i've disabled the n standard in the router and only allow a/b/g and noew all packets are captured! Thank you very much.

But I dont understand why some packets are transported with different standards, is that normal? i thought the router and the station aalways use the same standard?

Now i've got another question and it would be very kind if someone could also answer this question :) Now i want buy a wifi stick which supports the n standard the5 ghz frequenz spectrum, packet injection, monitor and promiscuos mode. The stick should not be very expensive about 30 euros or cheaper..5ghz is no must have..

Thank you for your answers and suggestions!

(12 Aug '15, 14:53) eizi

Please ask that question separately, so that people interested in answers to that question can find it. This is a Q&A site, not a forum; the idea is that people should be able to try to see whether their question has already been asked and answered before asking it, so we don't want threads that involve multiple questions, we want individual questions with discussion as needed to understand the question or answer.

(12 Aug '15, 16:09) Guy Harris ♦♦

But I dont understand why some packets are transported with different standards, is that normal? i thought the router and the station aalways use the same standard?

The router - by which I presume you mean "the access point" - when talking to a particular station will use whatever is the appropriate standard. However, there may be multiple stations on the network, using different standards; for example, there may be one machine that only supports 11b, another that supports 11g, and still another that supports 11n). If you're capturing with a card that supports 11g but not 11n, you'll be able to see traffic to and from the 11b machine and traffic to and from the 11g machine, but not traffic to and from the 11n machine.

(12 Aug '15, 16:13) Guy Harris ♦♦