This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why can’t I capture data packets in monitor mode?

0

Hello everyone. I have question about capturing WiFi data packet by using following device and driver. DWA-182 Wireless AC1200 Dual Band USB Adapter. Acrylic Free WLAN NDIS driver -> Let DWA-182 turn on monitor mode and capture packet on window 7. wireshark 2.0.4 (64bits).

I want to catch packet in and out from a particular client. So I set display filter like this: wlan.sa == xx:xx:xx:xx:xx:xx || wlan.da == xx:xx:xx:xx:xx:xx After I start capture packet, I turn on the client. I can catch probe_request, probe_response, 4 EAPOL, null function data frame and Qos null function data frame. But I can't catch data or Qos data frame even I remove display filter. I find out that all packets I catch are malformed packet except of null function data frame and Qos null function data frame. Is this a point? Anyone has idea? Please help. Thanks.

asked 29 Jul '16, 01:53

Frazier's gravatar image

Frazier
6113
accept rate: 0%

edited 29 Jul '16, 02:44


One Answer:

1

Capturing WiFi traffic can be complex. You need to have the right hardware and software which supports the traffic you are trying to capture.

Specifically, the capture device needs to be able to capture frames that are in the RF environment. There are many different permutations of capabilities, especially when it comes to 802.11n or 802.11ac support. Your capture adapter needs to be able to match settings, such as:

  • Frequency, i.e. 2.4 or 5 GHz
  • Bandwidth, 20/40/80 MHz
  • Spatial streams, up to 4 now on the market (?)
  • Guard interval, long or short
  • LDPC support Frame aggregation
  • MCS Index (implicit, can be derived from ther parameters mentioned)
  • ... I am missing some...

What you will find is that 'overhead' traffic like probes, ACKs, RTS/CTS, etc., usually go at relatively low data rates, so you might pick those up easily. However, under good conditions, data frames (type data or QoS-data) would go at full speed so this is where you need to have good capture capability. Another big issue with WiFi is not being in promiscuous mode, but based on your description that appears to not be an issue here - that would only show broadcast/multicast traffic even if other capabilities exist.

To test out your capture environment, turn 802.11n and/or 802.11ac capability off. Do you see all the traffic you expect? Then turn it back on and look for the differences in traffic flow under same test conditions. Review the capabilities of the WiFi system under test - the beacons, probe requests/responses, and association requests/responses will all give information as to the capabilities of the client and AP. You can check for things like 802.11ac vs 802.11n, spatial streams, guard interval, etc. Once you know the capabilities of the test system, compare to your capture system. What can it do? This may take reverse engineering, google search, or even a little trick - connect the capture adapter to the same test AP and inspect the same frames for what it's capabilities are, and compare. Also note just because a specific device may support a set of parameters in managed does not automatically mean it will support the same set in monitor mode.

In the end, you may need to purchase new hardware to sniff what you want. Amazon.com is a great place to purchase some low cost USB adapters to use for sniffing. Linux is a huge help as well, as you will not be limited to Acrylic's drivers.

Another option is OmniPeek with their capture adapters. That's a commercial system of HW/SW designed for WiFi capture. Many professionals use this, and this is what I recommend for those who need a Windows platform to capture WiFi traffic that is anything more capable than 802.11abg. At the lower end the AirPcap adapters are ok, but for 802.11n they are not good enough, even the AirPcap Nx device, which claims n support.

answered 29 Jul '16, 02:50

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

edited 29 Jul '16, 04:23

Thanks for telling me lots of information about WiFi capturing, Bob Jones. I will try then.

(01 Aug '16, 23:25) Frazier