This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

can’t see any tcp/udp/icmp traffic

0

i’m update wireshark to 2.2.4 version on my mac os (10.12.2) i can’t see any tcp/udp/icmp traffice when i using capture packet in monitor and promiscuous mode , but i can see the 802.11 and eap frame . i’m uninstall the Wireshark 2.2.4 back to 1.12.12 , the issue is still. open my computer other file also can't see any tcp/udp/icmp traffice. alt text

asked 23 Feb '17, 21:54

daniel%20wang's gravatar image

daniel wang
6112
accept rate: 0%


One Answer:

1

To see the layer 3+ information in 802.11 captures you need two things, at a minimum:

  1. Data frames
  2. Decryption capability if the data is encrypted (good practice says it should be...)

For item 2, here is a good link: https://wiki.wireshark.org/HowToDecrypt802.11

I bring up item 1 because it is a common cause of issue when working with wireless packet captures. The data frames tend to go at higher data rates so require better capture capability to match the modulation capabilities of the AP and the client. In particular, I do not see data frames in your picture but do see ACKs. With no more information than this picture, it appears you are not able to capture data frames; however, MAC laptops are known to be excellent capture tools. Something does not look right. You sill have to solve this problem first before working on decryption.

As a test, you may be able to reduce the AP's capabilities so it uses lower data rates and then it will be easier to capture data frames. Otherwise, provide more information on the setup of the system you are analyzing - it could be you are just out of range to capture the high speed frames, etc.

I use this free tool on my MAC to speed up capture setup:

https://www.adriangranados.com/apps/airtool

answered 24 Feb '17, 03:00

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%