This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Unable to capture relevant packets with Wireshark / Airmon-ng WPA2-PSK (AES)

0

Objective: Capture packets with info containing sites visited, usernames & passwords if any on WPA2-PSK (AES)wifi network. Monitor capable Alfa card used.

Steps followed:

airmon-ng check kill

airmon-ng start wlan1

(window 1)airodump-ng -c [number] --bssid [bssidnumber] --shockack -w [filepath] wlan1(mon)

(window 2) aireplay-ng -0 5 -a [bssidnumber] -c [targetMAC] wlan1(mon)

Target device looses connection to wifi and rejoins, I can see a handshake is captured in window 1

Browse HTTP sites on the target device (tried iPhone, laptop), fill out and submit login forms

Ctrl + C to stop capture

Open .cap with Wireshark

Preferences > IE802.11 > enable decryption > enter generated key

At this stage I have to fiddle with settings such as ignore protection bit, and then I get some decrypted (coloured) results displayed in the grid...great :)

You'd think at this stage I'd be home and dry....only problem is I have no HTTP, HTTPS, DNS requests nor do I get any results when I search for the password I entered in the login form as a string.

Any ideas what I'm doing wrong?

This question is marked "community wiki".

asked 25 Oct '16, 13:57

rootb33r's gravatar image

rootb33r
6113
accept rate: 0%

edited 25 Oct '16, 13:58


One Answer:

0

With no other detail, such as a trace, we can't be sure. However, this might give you some ideas to try:

https://ask.wireshark.org/questions/54433/why-cant-i-capture-data-packets-in-monitor-mode?page=1&focusedAnswerId=54437#54437

https://ask.wireshark.org/questions/55637/wireshark-with-atheros-wireless-in-monitor-mode?page=1&focusedAnswerId=55643#55643

https://ask.wireshark.org/questions/14684/no-data-packets-when-turning-on-monitor-mode

https://ask.wireshark.org/questions/54835/having-issues-capturing-http-traffic-on-my-network

I'd guess if you see some frames decrypted it is a likely a modulation issue and you can't decode regular data frames that are at high data rates. You might see multicast/broadcast as they are sent at lower rates.

answered 25 Oct '16, 14:50

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

edited 25 Oct '16, 14:55

Thanks for your reply. I'll go through the links tomorrow. It does sound like what you said about the data rates may be right as I definitely am seeing some information....just not what I really want to see.

The capture card specifically is the awus036h. 'Promiscuous' mode has never been explicitly turned on, but I understand that is a Wireshark setting(?) and I'm simply viewing the .cap with Wireshark rather than capturing with it.

(25 Oct '16, 16:15) rootb33r