I am trying to debug an app on my smart tv and I need to capture the http requests it does. since the tv is in another room, im first testing with a tablet.
So first, I connect a wifi adapter (AWUS036H). Set it to monitor mode with
Then I start wireshark, and start capturing on the interface wlan0mon. When I visit example.com on my tablet, this is what appears on wireshark:
f0:4f:7c:xx:xx is my tablet mac address, if I remove that filter I still don't see any http traffic, all white stuff and nothing of the green stuff I see when capturing eth0.
So how do I capture the http traffic that goes thru my wifi router?
The wifi network is temporarily open btw, I removed all the security for the test.
I tried reenabling the router security (WPA2-PSK), reconnected the tablet while wireshark was running (to capture the handshake), and visited example.com again. Added wpa-pwd:mypwd:ssid to the IEEE 802.11 protocol and when I click "apply", some packets that were previously identified as LLC protocol change to 802.11 protocol, so decryption seems to be working, but I still can't find any package containing http information.
asked 28 Jun '17, 23:21
edited 28 Jun '17, 23:52
I've never seen a block ACK with a layer 3 IP address included - they all have Receiver Address and Transmitter Address (RA/TA), which are MAC addresses. I guess you have Wireshark configured to do some mapping from L2->L3?
This looks like one of two problems:
Since you didn't provide a trace I can't look at signal strengths to determine if the issue might a distance problem, and I can't deduce the running network parameters because I can't see the beacons/probes/assoc frames for your network to determine the actual capabilities to compare to your capture adapter (which google says is 802.11bg).
Block ACKs usually come along with 802.11n or HT capability, so most likely your issue is (2). The data frames are sent at 802.11n rates, and the capture adapter can't pick them up.
What to do?
This comes up often here -
answered 29 Jun '17, 02:45