This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Viewing packets over WPA2 wlan: Only sees one DHCP packet?

0

I am using Wireshark to analyse traffic on my home network, in particular examining packets sent between my Android phone and the AP of a WPA2 wireless network. To do this I have set my adapter into monitor mode, and entered the WLAN password and SSID under the 802.11 settings.

Unfortunately, the only decrypted packet I seem to get from the analysis is a single DHCP ACK packet sent from the AP to the device. I've used the filter "eapol || ip" just so I can see that the EAPOL packets are received so that Wireshark can decrypt communication between the device and the AP, and see any IP datagrams sent between the two. I get the four EAPOL packets, and then straight after that the DHCP packet. But I never get anything else. I generate traffic by browsing websites, etc on my phone, but nothing comes up.

I have my suspicions that the network card or driver or something may be buggy, for the following reasons:

  1. When I put the card in monitor mode, the capture often stops after a random amount of time, spitting out the following message: "Unknown message from dumpcap, try to show it as a string: Can't restore interface wlan0 wireless mode (SIOCSIWMODE failed: Operation not permitted). Please adjust manually."

  2. I've tested this using an open Wifi network and have had more success with unencrypted packets, but even then packets seem to be dropped. For example, I will see HTTP requests but not replies for certain machines, even after fiddling with TCP and HTTP options about reassembling packets.

I'm running version 1.10.6 of Wireshark on Ubuntu 14.04, using an Atheros wireless chipset (ath9k driver for the Atheros AR9565)

Can anyone shed some light on this issue?

Thanks in advance

asked 08 Nov '15, 02:31

borophyll's gravatar image

borophyll
6112
accept rate: 0%


One Answer:

0
  1. Update to the latest kernel: https://www.kernel.org/
  2. Update to the latest ath9k drivers: https://wireless.wiki.kernel.org/en/users/drivers/ath9k
  3. Update to the latest Wireshark stable release: https://www.wireshark.org/download.html

I had a similar problem with my ath10k drivers. After performing all the upgrades as stated above, I had no issues.

answered 09 Nov '15, 06:09

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

Thanks Amato, I will try this and let you know...

(09 Nov '15, 22:07) borophyll