This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing data in monitor mode

0

Is there a way to capture data in monitor mode? When I try capturing in monitor mode, I only get beacon frames and some packets that say Null function (no data).

Is there a way to see TCP or HTTP layer data while capturing in monitor mode? My OS is Fedora 24.

Related question: I don't really know much about adapters/drivers, but is it possible for monitor mode to work while promiscuous mode doesn't?

asked 14 Aug '16, 04:52

devil0150's gravatar image

devil0150
6112
accept rate: 0%


One Answer:

0

I don't really know much about adapters/drivers, but is it possible for monitor mode to work while promiscuous mode doesn't?

Yes, this is common. Depends on wireless hardware you are using along with the driver. If in this mode, you would see all broadcast and multicast traffic, but no unicast traffic from other wireless clients. You mention Null - there are several types of Null frames, e.g. Null, QoS-Null, etc., but these are typically unicast. Since you don't provide a trace, I can't be sure exactly what you are seeing. So you may be seeing unicast traffic, but perhaps it is encrypted? Look for Data-type frames, like QoS Data and the like with a unicast destination MAC address to distinguish what state you are in.

It is also possible to see all WiFi traffic, though it may need to be decrypted for you to see TCP or HTTP traffic. First step is to make sure it is all present, i.e. you see unicast traffic along with broadcast/multicast and then work on a plan to decrypt. The Wireshark website has good notes on decryption if using WPA2-Personal, or, for a test, remove encryption altogether and then the IP, transport, and application layers should be apparent. I don't recommend to run like this for long, but only as a test.

These types of questions come up often here, so search and you will find lots of information.

answered 14 Aug '16, 05:47

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%