When running in monitor mode, Wireshark does not capture outgoing packets. For example, when pinging another computer on my network, I can only see the replies. When I'm not in monitor mode, however, I can see both incoming and outgoing packets. Any ideas what might be causing this? I'm running Wireshark 2.0.1 on a Macbook Pro running OS X 10.11.2. I do not have any firewall, VPN, or AV software running. I've turned off WiFi encryption temporarily for the captures. asked 17 Feb '16, 12:49 freyr edited 17 Feb '16, 13:27 |
Did you try the suggestions in the followink link: https://ask.wireshark.org/questions/27296/wireshark-only-capturing-incoming-packets
I suspect that in monitor mode, the wireless driver may not record the sent frames at all, as the assumption is that when you use monitoring mode, the capturing device is not taking part in the communication but only listens. But this is nothing more than an idea.
Amato_C I have disabled any software that might interfere. That post alludes to TCP/IP offloading... I don't know whether that could be causing an issue with monitor mode, but I haven't been able to find any indication that the MacBook does offloading.
@freyr = disabled or uninstalled? There is a difference. Please uninstall all software that hooks into the TCP/IP stack.
@amato_c I completely uninstalled Cisco AnyConnect VPN software, because I noticed it was still running a process even after I exited the application. I do not have any AV or firewall software installed, and OS X's built in firewall is turned off. I'm hoping the Cisco software / my IT department didn't surreptitiously install anything else that's running in the background. My coworker's laptop has the exact same issue. I will try repeating this with my personal MacBook over the weekend.