This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark with Atheros wireless in Monitor mode.

0

Is working but I am only seeing 802.11 management packets, Beacons, Probe Requests etc.
Proof that monitor mode is working or partly working.
But I am not getting anything else, no data packets.
This is a wireless nic that supports monitor mode and I am properly putting it in monitor mode setting the channel and such.
I have tried this with a number of cards and systems same issue.

What do I need to do to see/capture ALL of the activity on the channel and not just the 802.11 management?

Thanks!
Steve

asked 18 Sep '16, 18:11

N8lbv's gravatar image

N8lbv
6112
accept rate: 0%

First look at the questions suggested at the bottom of the right hand column on this page (Related questions). Then, if possible, disable ac and n modes on your access point, as it is quite likely that your Atheros doesn't support them so if the other devices use them, the Atheros cannot capture them. The management frames are sent using widely supported modes so that all devices could handle them.

(19 Sep '16, 02:57) sindy

Excellent suggestion.
I do indeed already have the AP set to only 2.4Ghz and BG. (mixed). Oddly I found that in my linux distribution that various wireless utilities when ran create a virtual wireless interface (wlan0mon) And leave it in place after running. Kismet in particular does this even though I am specifying "wlan0" as the capture device.
Now when I run wireshark and choose wlan0mon instead of wlan0 it works. I am getting all the packets. I captured a SIP/VOIP phone call between two other nodes and all the RTP.
So I at least have a work around that works now.
But I don;t for the life of me know why it matters that I use a virtual interface and why it doesn't work simply with wlan0 after putting it in monitor mode.
:)

(19 Sep '16, 09:44) N8lbv

Maybe the tool reverts to managed mode after you stop using the tool? But the secondary interface is still in monitor mode. You should be able to see them with commands:

iw dev or iwconfig

The iw command is the most useful - plenty of options. Also shut down any network managers you may have - they like to move your interfaces back to managed mode at every opportunity.

(19 Sep '16, 11:28) Bob Jones

One Answer:

0

There are two likely scenarios you are running into that can cause this:

  1. The device supports monitor mode, but not promiscuous mode. You need both. The way to tell is to identify unicast traffic in the data stream. If you have it, then this is not the issue.
  2. Per @Sindy's comment, it may be that you support monitor and promiscuous mode, but your capture adapter can not decode the data packets due to modulation differences. Just because the device says it is capable of x/y/z (i.e. maybe 802.11ac 2x2:2 or whatever), does not mean it will capture that traffic in monitor mode. There is a good chance it will, but we need to know how you are configuring the device for capture.

Degrade a test platform to 802.11a/b/g only (probably does not matter, but you would need to know so you can setup your capture accordingly) and pass traffic. Do you pick it all up? If so, start adding back in the advanced features like 802.11n/ac, 40/80MHz channels, LDPC encoding, etc. And see when it starts to break.

Of course there is the obvious root cause just to be sure: are you capturing on a channel that has known data flowing? I know it's a stupid question, but you should be able to identify your BSSID and any devices you are using to test, like your laptop, tablet, smartphone, etc. As you are connected and, for instance, accessing webpages, you should at least see some traffic from this device even if either of the two cases are true above.

answered 19 Sep '16, 03:36

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

Yep, as commented above I have it working if I use a virtual interface that gets created when I run Kismet instead of the actual wireless interface in monitor mode.
Might be a driver quirk.
Or it's just written that way and expected to be used this 'new_way'

But yes I had already simplified the test scenario about as much as possible, no encryption 2.4BG only (open network) two known test nodes passing known traffic during test etc. :) All good suggestions.
Yep had a VoIP/RTP call in the clear going on during all testing.

(19 Sep '16, 09:49) N8lbv