Is working but I am only seeing 802.11 management packets, Beacons, Probe Requests etc. What do I need to do to see/capture ALL of the activity on the channel and not just the 802.11 management? Thanks! asked 18 Sep '16, 18:11  N8lbv |
One Answer:
There are two likely scenarios you are running into that can cause this:
Degrade a test platform to 802.11a/b/g only (probably does not matter, but you would need to know so you can setup your capture accordingly) and pass traffic. Do you pick it all up? If so, start adding back in the advanced features like 802.11n/ac, 40/80MHz channels, LDPC encoding, etc. And see when it starts to break. Of course there is the obvious root cause just to be sure: are you capturing on a channel that has known data flowing? I know it's a stupid question, but you should be able to identify your BSSID and any devices you are using to test, like your laptop, tablet, smartphone, etc. As you are connected and, for instance, accessing webpages, you should at least see some traffic from this device even if either of the two cases are true above. answered 19 Sep '16, 03:36  Bob Jones Yep, as commented above I have it working if I use a virtual interface that gets created when I run Kismet instead of the actual wireless interface in monitor mode. But yes I had already simplified the test scenario about as much as possible, no encryption 2.4BG only (open network) two known test nodes passing known traffic during test etc. :) All good suggestions. (19 Sep '16, 09:49) N8lbv |
First look at the questions suggested at the bottom of the right hand column on this page (Related questions). Then, if possible, disable ac and n modes on your access point, as it is quite likely that your Atheros doesn't support them so if the other devices use them, the Atheros cannot capture them. The management frames are sent using widely supported modes so that all devices could handle them.
Excellent suggestion.
I do indeed already have the AP set to only 2.4Ghz and BG. (mixed). Oddly I found that in my linux distribution that various wireless utilities when ran create a virtual wireless interface (wlan0mon) And leave it in place after running. Kismet in particular does this even though I am specifying "wlan0" as the capture device.
Now when I run wireshark and choose wlan0mon instead of wlan0 it works. I am getting all the packets. I captured a SIP/VOIP phone call between two other nodes and all the RTP.
So I at least have a work around that works now.
But I don;t for the life of me know why it matters that I use a virtual interface and why it doesn't work simply with wlan0 after putting it in monitor mode.
:)
Maybe the tool reverts to managed mode after you stop using the tool? But the secondary interface is still in monitor mode. You should be able to see them with commands:
iw dev or iwconfig
The iw command is the most useful - plenty of options. Also shut down any network managers you may have - they like to move your interfaces back to managed mode at every opportunity.