This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

When running in monitor mode, Wireshark does not capture outgoing packets. For example, when pinging another computer on my network, I can only see the replies. When I'm not in monitor mode, however, I can see both incoming and outgoing packets. Any ideas what might be causing this?

I'm running Wireshark 2.0.1 on a Macbook Pro running OS X 10.11.2. I do not have any firewall, VPN, or AV software running. I've turned off WiFi encryption temporarily for the captures.

asked 17 Feb '16, 12:49

freyr's gravatar image

freyr
11226
accept rate: 0%

edited 17 Feb '16, 13:27

(17 Feb '16, 19:50) Amato_C

I suspect that in monitor mode, the wireless driver may not record the sent frames at all, as the assumption is that when you use monitoring mode, the capturing device is not taking part in the communication but only listens. But this is nothing more than an idea.

(17 Feb '16, 22:28) sindy

Amato_C I have disabled any software that might interfere. That post alludes to TCP/IP offloading... I don't know whether that could be causing an issue with monitor mode, but I haven't been able to find any indication that the MacBook does offloading.

(18 Feb '16, 08:45) freyr

@freyr = disabled or uninstalled? There is a difference. Please uninstall all software that hooks into the TCP/IP stack.

(18 Feb '16, 09:14) Amato_C

@amato_c I completely uninstalled Cisco AnyConnect VPN software, because I noticed it was still running a process even after I exited the application. I do not have any AV or firewall software installed, and OS X's built in firewall is turned off. I'm hoping the Cisco software / my IT department didn't surreptitiously install anything else that's running in the background. My coworker's laptop has the exact same issue. I will try repeating this with my personal MacBook over the weekend.

(18 Feb '16, 09:20) freyr
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×157
×134
×86
×13

question asked: 17 Feb '16, 12:49

question was seen: 1,674 times

last updated: 18 Feb '16, 09:23

p​o​w​e​r​e​d by O​S​Q​A