This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture 802.11ac frames in monitor mode

0

Hi

I have 2 USB adapters - 802.11ac enabled, it supports monitor mode operation. I have wireshark version 1.10. I enable one of the USB adapters in monitor mode and connect the other adapter to 802.11ac AP. I want to capture the traffic generated between AP and client (802.11ac). However, the monitor mode interface is capture nothing at all.

Please guide me where am I wrong.

Thanks.

asked 04 Nov '15, 04:12

dheryta's gravatar image

dheryta
11225
accept rate: 0%

What OS do you use?

(04 Nov '15, 04:21) Christian_R

I am using Ubuntu 14.04

(04 Nov '15, 04:24) dheryta

Are both USB adapters connected to the same PC/laptop?

(04 Nov '15, 11:40) Amato_C

"Capturing nothing" meaning "you try to capture and there are no packets at all" or "capturing nothing" as in "just a whole bunch of packets identified as '802.11' but nothing that looks like regular network traffic"?

(04 Nov '15, 14:32) Guy Harris ♦♦

@Amato_C: no both adapters are connected to different laptops, connected to same AP in infrastructure mode.

@Guy Harris: Its the former one, 'no packets at all'. The adapter is Edimax AC1200 and it supports monitor mode operation.

(04 Nov '15, 19:54) dheryta

In the question, you say " I enable one of the USB adapters in monitor mode and connect the other adapter to 802.11ac AP." In a comment, you say "no both adapters are connected to different laptops, connected to same AP in infrastructure mode." Are both adapters connected to the AP, or is only one of them connected?

(05 Nov '15, 09:59) Guy Harris ♦♦

@Guy Harris: Sorry, that was an error. One of the adapters is connected to AP in infrastructure mode and the other is enabled as a monitor mode interface (not associated to AP) to capture WiFi traffic between AP and Client.

(05 Nov '15, 10:04) dheryta

And they're both set to the same channel?

(05 Nov '15, 10:08) Guy Harris ♦♦

As per my understanding, in monitor mode an interface listens to all channels in round-robin fashion, so no need to set a particular channel. I have done this with Atheros card to capture WiFi traffic in 2.4GHz. Thus, I did not set any channel for monitor mode interface as well.

(05 Nov '15, 10:11) dheryta

As per my understanding, in monitor mode an interface listens to all channels in round-robin fashion

Not necessarily. That might be done by some adapters in some modes, but it's not done by all adapters in all modes - if channel scanning is being done, some traffic might be missed, as you won't be listening on any particular channel all the time, so it's not what you always want to do in monitor mode.

It's not done in software by Wireshark.

(05 Nov '15, 10:15) Guy Harris ♦♦

I added monitor mode interface in Linux with following command sudo iw dev wlan1 interface add mon1 type monitor sudo ifconfig mon1 up

Then, I try to listen on mon1 with Wireshark.

(05 Nov '15, 10:18) dheryta
showing 5 of 11 show 6 more comments

One Answer:

0

Try this:

In all these commands, my WiFi adapter was named wlan1 in Ubuntu.

  1. Connect the adapter that will be used for capturing WiFi traffic to the WLAN.
  2. Issue command: iw wlan1 info
  3. Make note of the following: Channel frequency, Channel bandwidth, Center 1 frequency
  4. Disassociate the adapter from the WLAN

  5. Issue the following commands:

    ifconfig wlan1 down

    iw dev wlan1 set type monitor

    ifconfig wlan1 up

    iw dev wlan1 set freq (channel-freq) (channel-BW) (center-1-freq)

For example: iw deb wlan1 set freq 5180 80 5210

answered 05 Nov '15, 11:13

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%