This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Only capturing broadcasts?

0
1

So Im using Kali linux, and when I want to use wireshark, the first this I do is start moniter mode with airmon-ng, which is then says the adapter is in moniter mode. It is Panda Ultra 150Mbps 802.11n USB Adapter which was advertised to have both moniter and injection modes.alt text

then, i use iwconfig to confirm its in moniter modealt text

then, i start wireshark and capture on wlan3mon, and this is all I get. Any help?alt text

edit: after trying your suggestion Amato_C, I captured more that broadcasts but I thought I was supposed to be getting http packets from other devices on the network. It just seems like im only getting traffic from myself.alt text

asked 24 Aug '15, 12:07

napzackz's gravatar image

napzackz
6123
accept rate: 0%

edited 24 Aug '15, 21:19

Are you trying to capture WiFi traffic on wlan0? It appears that wlan0 and wlan3 are on the same laptop/PC. Did you try:

  1. Shutting down wlan0 on the PC that you are performing the capture

  2. Capture WiFi traffic from another WLAN client using wlan3.

(24 Aug '15, 18:41) Amato_C

Wlan3 has stopped working since I posted this, but its the same exact thing happening when I try it with wlan0.

(24 Aug '15, 19:03) napzackz
1

Are you using a capture filter?

Note that capture filters that look at IP (v4 or v6), TCP, UDP, etc. information, or even look at link-layer type information such as Ethernet types, will NOT work on "protected" networks, i.e. networks using WEP or WPA/WPA2 encryption, as, at the layer where the capture filter is checked, the packets are still encrypted, and the only non-encrypted parts are the 802.11 MAC addresses and other 802.11 frame header fields.

(24 Aug '15, 21:33) Guy Harris ♦♦

nope, no filters

(24 Aug '15, 21:47) napzackz

What is the configuration of your WLAN? Is your WLAN configured for 40MHz operation while you are capturing at 20MHz?

It would be best if you could post a capture on Cloudshark or Google Drive that included Beacon frames and a device associating to the network (i.e., Association Request and Response frames).

(25 Aug '15, 03:57) Amato_C

One Answer:

0

Let's try the following.

  1. Remove the Panda Ultra 150 USB stick and reboot the laptop/PC
  2. Issue the command ifconfig You should only see wlan0 = the Atheros AR9565 adapter
  3. Issue the command iwlist wlan0 scanning This command performs a scan and will report all the available networks along with their associated channels. This could take some time depending on your RF environment so be patient
  4. Find the SSID and the associated channel. Remember the channel for the next step.
  5. Issue the command airmon-ng start wlan0 (channel) where channel was determined from step #4. For example, if you determined the WLAN exists on channel 6, then issue the command airmon-ng start wlan0 6
  6. Start Wireshark
  7. Select the interface mon0 or whatever monitor interface exists, such as mon1 or mon2. Do not select wlan0
  8. Begin your capture.

answered 24 Aug '15, 19:29

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

thanks for the answer amato_c, i've updated the question with more information about it.

(24 Aug '15, 21:20) napzackz