This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark doesn’t capture EAPOL Packets and no HTTP Traffic

0

Hello All:

I am having a bit of a problem here with wireshark, no matter what I do or what I try to do Wireshark doesnt capture EAPOL traffic that means no handshake capture which means no decryption of HTTP/TCP traffic. Here are few details that will list out what I exactly did.

  1. Platform: KALI Linux running on Virtual Box over Macbook Air
  2. Wireless Card: TP-Link TL-WN722N
  3. Wifi is PSK2 - So I have already got the psk key from Wireshark psk calculator, the name of the ssid is Cisco01096 and password is arnold06.
  4. Added decryption keys in the wireless protocol IEEE 802.11 enabled/disabled Assume FCS etc.
  5. Started wireshark without airmon running in the background
  6. Started wireshark with airmon running in the background
  7. started wireshark with Sudo command (I know its not supposed to be done yet I gave a go)
  8. started wireshark without Sudo command.
  9. Reconnected my devices to the wifi so it captures the handshake nothing at all, done every time I start wireshark.

after doing everything as aforesaid, all I still see is just encrypted packets no EAPOL or HTTP traffic.

Can someone please guide where am I going wrong?

Regards, BM

asked 29 Nov '16, 01:34

BMC's gravatar image

BMC
6112
accept rate: 0%


One Answer:

0

A couple of points:

  1. I assume you have seen this, but just to be sure: https://wiki.wireshark.org/HowToDecrypt802.11
  2. Share a trace - this will go faster if you post a short trace of what you do get - the people on this site are very good at looking at traces and troubleshooting - without the trace, the community is left to guess. Good place to put a trace for review by the community: https://www.cloudshark.org/
  3. I use those adapters all the time to capture traffic and they work fine, so I will hypothesize there is something specific about your setup causing issues
  4. To get EAPOL frames, you need to have the device re-authenticate. There are a couple of ways to do this: go to the AP or wireless controller and kick the client off. Not all have this feature readily available, but some do. Another way, likely more popular, is to just reboot the device - like a smart phone, laptop, whatever, or disconnect the wifi and reconnect. You need to force the reassociation while capturing to get all four EAPOL packets.

So the technique I suggest:

  1. Be sure your capture setup picks up all traffic, both uni- and multi-/broadcast. This should be good with that adapter - I am not aware of any issues. Also check for data frames (or QoS data frames) to be sure there is data to decrypt.
  2. Start the capture on the correct channel - may need to hunt around to find it. Keep changing channels until you find encrypted frames from the client under test.
  3. Once you find the client, reboot it. Wait to look for the probes/authentication/association/eapol sequence. If you don't get all four eapol frames, do the whole thing again until you do.

Also, since you are on a MAC, you can try capturing with the built in adapter on the MAC with Wireshark (supports monitor+promisc mode by default) and see if you pick up the eapol frames if the USB adapter piped into the VM does not. I run Kali on my MAC, but I don't capture traffic this way so can't be 100% sure there is not a VM issue. I know on some of my newer Dell laptops I cannot attach a USB wifi adapter to a VM in VirtualBox for whatever reason. However, in these cases where firmware fails to load, the adapter does not work at all so no frames can be captured. Since you claim to be getting at least something, then this likely is not your issue.

answered 29 Nov '16, 03:18

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%