I am using Kali Linux running Wireshark I am trying to capture all the data that goes through my home network via any device connected to it. I have successfully put the interface into monitor mode, and running as root. On my interface wlan0 I can see a lot of traffic but most of it is the devices requesting an IP address or joining or removing from a group (I am assuming that's just the router giving specific permissions against the firewall). What I am trying to do is see the websites these devices on my network are trying to access. I can see everything from the PC in monitor mode (wlan0) and what it tries to access but I can't see for example what sites my other laptop is accessing or my iphones on my network. I have even changed the mac address of wlan0 to match the mac address of the router. I can't figure out what I am doing wrong. I have verified via iwconfig that the card is in monitor mode and not in managed mode Thank you in advance, all help or advice is really appreciated asked 15 Aug '16, 09:04  BitByte1981 |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Monitor mode is not sufficient to capture ALL wlan traffic- you need promiscuous mode support, too. It sounds like you may have this problem as well:
https://ask.wireshark.org/questions/54790/capturing-data-in-monitor-mode
And a search here you will find plenty of others with similar issues.
Full capture capability also depends on having the correct modulation capability, so there are many things to review. So I propose that you:
This is probably IGMP, for multicast support - likely LLMNR and maybe other protocols that could be in use.
I wouldn't do that! Let's walk before we run... when this is all sorted you can then play man-in-the-middle with a rogue AP using hostapd.
Thanks Bob!
Wireshark has the box checked that says Promiscuous mode
Is it possible to force the iPhones to connect on n/g/b instead of ac? I am new to understanding the spectrums but they are connecting on the 2.4 ghz band and not the 5 ghz band.
I am using the latest Kali Linux Kernel
The Wireshark check box seems to have no effect on promiscuous mode when an adapter is in monitor mode. I don't know if that is by design or defect, but the behavior is driven by the driver, at least from what I have seen.
There are at least three variants of the TEW-624UB, one of which is Ralink which is a 2x2:2. Assuming you have that one, as described, Kali had a regression for several months that disabled promiscuous mode on the RT series drivers. That has since been fixed - details can be found here by searching or on www.aircrack-ng.org. Since you have the latest kernel, this should not affect you.
Try www.cloudshark.org to post a trace.
Devices will usually connect at the highest possible speed, so if 802.11ac is available, it will likely be used. The router would likely support abgn ac - just bgn ac would be very unusual (but it's a big world out there, so you never know). Usually you can turn off advanced features - force the router to bg mode for now and try that - make sure the channel is known and you are sniffing on that channel. Once you get Wireshark to show the traffic from the other devices, start enabling the more advanced features like 802.11 bgn, etc., to be sure you can collect the data you are looking for. Don't forget about encryption.
The capture device has to be on the same channel as the traffic, and the various devices will use the channel selected by the AP. You can usually select the channel at the router, or if in auto mode, it might tell you what channel it is using.