When I capture using Wireshark 2.0.1 in monitor mode, I only see WLAN control packets (clear-to-send, request-to-send, beacons, etc.) but not the TCP/UDP packets I'm sending and receiving. I so no packets relating to data except "QoS Data". I added my network's WPA-PSK key to the 802.11 preferences. Should I expect to be able to see data packets as well as control packets? I'm running OS X 10.11.2 (El Capitan) on a Macbook Pro with a built-in Airport Extreme Wi-Fi card. asked 28 Jan '16, 16:41  freyr |
One Answer:
Should I expect to be able to see data packets as well as control packets? Yes. Did you read the following wiki page?https://wiki.wireshark.org/HowToDecrypt802.11 Some common mistakes are:
answered 29 Jan '16, 02:17  Amato_C |
Amato, thanks for your suggestions. I initially was having trouble capturing the EAPOL frames because I thought they needed to be sent between the router and my capture device (i.e., my laptop), and I couldn't get my laptop to associate with the WLAN if I was already in monitor mode. But then I tried connecting another device (phone) and captured 4 eapol frames.
I now seem to be getting decrypted TCP and UDP packets (although they are all red text on a black background, indicating a malformed packet).
Could share us the trace or at least a screenshot?
I would recommend you post a new question to the Wireshark community about this new problem you are experiencing. This will allow other experts to view the problem also. As Christian_R has suggested, post a trace on Google Drive or Cloudshark to help diagnose the issue.
Also, if the answer provided solved your problem, please accept the solution so others can also learn.
Thanks for helping to solve the EAPOL issue. I'm still playing around with the separate TCP issue but I will post a new thread if I can't get it working.