This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why am I missing WiFi Packets?

0

Hi all,

I have custom hardware with custom firmware, using WiFi only. The firmware uses SNTP to time stamp emails that it sends out. On initialization, it takes a few seconds for the firmware to capture a valid time stamp. Once that happens, it's good to go. The time stamp is refreshed from pool.ntp.org every 10 minutes.

My problem is I get an initial time stamp but after 10 minutes it doesn't refresh. I'm trying to figure out where the disconnect is. But, I don't see even the initial connection to pool.ntp.org in the Wireshark capture window. If I filter on my IP address, 192.168.1.86, I see the DHCP transactions after power up, then some packets to 224.0.0.251 (what the heck is that???), then nothing.

I know I'm getting the first NTP time stamp because I can send an email with the correct time. But I don't understand why I don't see it in the packets?

Sorry, I'm completely new on IP, WiFi and Wireshark, so pardon my ignorance.

Any help is appreciated.

Dave

asked 30 Nov '16, 23:34

djw's gravatar image

djw
31224
accept rate: 100%

We are going to need more information.

  1. Where are you trying to capture from, i.e. what device is capturing the data with Wireshark, your custom HW tool or some other PC?
  2. How are you capturing WiFi traffic? Often times it takes special handling: you might need special hardware or special configurations, all depending. Hardware, OS used, how you prep the interface, etc...
  3. Simplify your system, if not done so already - don't use encryption (just for a test!), and maybe setup to capture wired traffic at your access point for now to validate the specific packets the device is sending. Then work on wifi capture until the wired and wireless traces are consistent.
(01 Dec '16, 03:33) Bob Jones

Oops! Sorry, I've related this problem so many times I left off some info.

  1. My hardware is WiFi only. I'm running Wireshark on my laptop which is also WiFi only. I have other devices running on Wifi, but mostly it's just the router.
  2. I open Wireshark. It gives me 3 options: bluetooth, local area connection and WiFi. I just double click WiFi and it starts capturing packets.
  3. Not sure I understand this completely. As I said, all of this is new. I did get a suggestion elsewhere to connect a different wireless router to my current network by wire, then sniff just that wireless network. That would mean buying more equipment and take a lot of time.

I'm really confused why when I'm positive there's a transfer between my hardware and the NTP server, why I don't see that under the WiFi capture.

Thanks,

Dave

(01 Dec '16, 09:39) djw
1

And the OS running on your laptop, I suspect Windows which is problematic when trying to capture the wireless traffic of other devices?

Hsve you looked at the Wiki page on wireless capture?

(01 Dec '16, 10:35) grahamb ♦

Ouch! Yes, Win 10.

Thanks for the link. I think that answers my question.

As I always say, "If it can't be done, it's probably not worth doing." (c) 2016

(01 Dec '16, 10:43) djw

npcap, the upcoming replacement for WinPcap, the capture library on Windows, may be able to capture wireless traffic. See the npcap site for more info.

(02 Dec '16, 02:41) grahamb ♦

Great! Any idea when this might come along with Wireshark?

(02 Dec '16, 09:15) djw

Not for a while yet, waiting for a few things to be completed and for it to stabilise. Wireshark already has support for it built-in, we just haven't put the actual npcap library in the installer.

(02 Dec '16, 09:59) grahamb ♦
showing 5 of 7 show 2 more comments