I have searched almost every forum on this topic but couldn't find a correct answer so I hope you can help. My problem is I cannot capture any frames other than broadcast or multicast over wireshark on my WLAN interface (eg. no ICMP packets, no HTTP packets, etc.) Please follow details below:
However cannot capture any UNICAST frames, please tell me what I am missing, Thanks asked 06 Jun '16, 23:18  bahmanthegreat |
One Answer:
That Kernel, if I recall, has a regression for monitor mode with RT chipsets: http://marc.info/?l=linux-wireless&m=145311668331789&w=2 On Kali Rolling, try to get to this kernel or later: I capture regularly with RT chipsets but had to work around that driver issue by upgrading kernels. To upgrade the kernel, try You can see what kernels are available with: answered 07 Jun '16, 02:56  Bob Jones Bob you are a genius! Upgrading the kernel solved the problem. Many thanks. (07 Jun '16, 04:47) bahmanthegreat 1 I note your very detailed question. Most just put 'It doesn't work' and rarely provide a capture file. With the detail you provided it was possible to go right to work and figure out what is wrong. Technically, this isn't a Wireshark issue but rather a hardware/driver problem. OK, I get why people won't put kernel versions and such, even though it can be important, but this is a Wireshark site, and some of the other people here really know what they are doing. So why people won't put up a capture file for those experts to look at until it is practically ripped out of them is beyond me... (07 Jun '16, 06:02) Bob Jones |
Not an authoritative answer - you may be missing a proper driver which would let through all frames captured in monitoring mode, regardless their destination MAC address. This seems obvious but some drivers' authors think otherwise so monitoring mode doesn't automatically mean promiscuous mode, and there is currently no chance to ask the driver for both simultaneously.
Alternatively, the driver may be OK but you forgot about WPA security - Wireshark cannot recognize any packets as ICMP, HTTP etc. without decrypting them first.
So to choose the right possibility: can you see any other destination MAC addresses than broadcast and multicast (and your own one) in the captured frames?
Thanks for the quick reply Sindy,
To clarify: 1. No encryption is applied to the SSID, it's open. 2. I do not receive any frames for destinations other than Broadcast/Multicast. 3. I do not receive frames destined to my own station unless I am connected to the AP (which beats the purpose if I do because I have to change out of monitor mode) 4. I have tried filtering out the broadcast/multicast frames from the capture and the output showed no frames at all. 5. No firewall is running, no antiviruses. 6. I can see ARP requests, SSDP, NBNS, IGMP, etc. but no unicast traffic.
How can I make sure I have the correct driver?
I'm afraid that only by reading the driver's code, and patching it if necessary.