This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

When I capture using Wireshark 2.0.1 in monitor mode, I only see WLAN control packets (clear-to-send, request-to-send, beacons, etc.) but not the TCP/UDP packets I'm sending and receiving. I so no packets relating to data except "QoS Data". I added my network's WPA-PSK key to the 802.11 preferences.

Should I expect to be able to see data packets as well as control packets? I'm running OS X 10.11.2 (El Capitan) on a Macbook Pro with a built-in Airport Extreme Wi-Fi card.

asked 28 Jan '16, 16:41

freyr's gravatar image

freyr
11226
accept rate: 0%


Should I expect to be able to see data packets as well as control packets?

Yes. Did you read the following wiki page?https://wiki.wireshark.org/HowToDecrypt802.11

Some common mistakes are:

  1. Not capturing all 4 EAPOL frames. To do this, you need to capture frames when the client first associates to the WLAN
  2. Not enabling the WLAN decryption option in Wireshark
  3. Toggling the decryption option on to off then back on again.
permanent link

answered 29 Jan '16, 02:17

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

Amato, thanks for your suggestions. I initially was having trouble capturing the EAPOL frames because I thought they needed to be sent between the router and my capture device (i.e., my laptop), and I couldn't get my laptop to associate with the WLAN if I was already in monitor mode. But then I tried connecting another device (phone) and captured 4 eapol frames.

I now seem to be getting decrypted TCP and UDP packets (although they are all red text on a black background, indicating a malformed packet).

(29 Jan '16, 13:02) freyr

Could share us the trace or at least a screenshot?

(29 Jan '16, 13:18) Christian_R

I would recommend you post a new question to the Wireshark community about this new problem you are experiencing. This will allow other experts to view the problem also. As Christian_R has suggested, post a trace on Google Drive or Cloudshark to help diagnose the issue.

Also, if the answer provided solved your problem, please accept the solution so others can also learn.

(29 Jan '16, 15:20) Amato_C

Thanks for helping to solve the EAPOL issue. I'm still playing around with the separate TCP issue but I will post a new thread if I can't get it working.

(29 Jan '16, 15:35) freyr
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×122
×86
×76

question asked: 28 Jan '16, 16:41

question was seen: 4,066 times

last updated: 29 Jan '16, 15:35

p​o​w​e​r​e​d by O​S​Q​A