Is there a way to capture data in monitor mode? When I try capturing in monitor mode, I only get beacon frames and some packets that say Is there a way to see TCP or HTTP layer data while capturing in monitor mode? My OS is Fedora 24. Related question: I don't really know much about adapters/drivers, but is it possible for monitor mode to work while promiscuous mode doesn't? asked 14 Aug '16, 04:52  devil0150 |
One Answer:
Yes, this is common. Depends on wireless hardware you are using along with the driver. If in this mode, you would see all broadcast and multicast traffic, but no unicast traffic from other wireless clients. You mention Null - there are several types of Null frames, e.g. Null, QoS-Null, etc., but these are typically unicast. Since you don't provide a trace, I can't be sure exactly what you are seeing. So you may be seeing unicast traffic, but perhaps it is encrypted? Look for Data-type frames, like QoS Data and the like with a unicast destination MAC address to distinguish what state you are in. It is also possible to see all WiFi traffic, though it may need to be decrypted for you to see TCP or HTTP traffic. First step is to make sure it is all present, i.e. you see unicast traffic along with broadcast/multicast and then work on a plan to decrypt. The Wireshark website has good notes on decryption if using WPA2-Personal, or, for a test, remove encryption altogether and then the IP, transport, and application layers should be apparent. I don't recommend to run like this for long, but only as a test. These types of questions come up often here, so search and you will find lots of information. answered 14 Aug '16, 05:47  Bob Jones |
