I want to monitor the traffic on my LAN. If I don't set Monitor mode and leave only promiscous mode, I got only traffic from my machine. If I enable Monitor mode and add the 64characters long raw preshared key as described here I got traffic from other devices BUT only got 802.11 protocol (no HTTP, TCP, etc...). I'm using wireshar 2.2.7 and Linux with kernel version 4.9.37. What am I missing?
Update Following the instructions of the answer of Bob Jones, I managed to obtain the EAPOL handshake of my mobile device by just restarting its connection, however, I couldn't do the same for my laptop because when I restart its connection it seems to get only Message 1 and 3 as in the picture below:
asked 19 Jul '17, 20:38
edited 23 Jul '17, 14:16
There could be many reasons why you cannot decrypt and you don't provide enough information to really determine what the root cause is. The usual suspects:
There is a sample trace on the wireshark website that can be decrypted, we assume that is decrypted properly as a test?
This issue comes up often - an example:
Notice how we were able to determine root cause when a trace was provided along with all the relevant information (test passphrase/SSID, etc).
answered 20 Jul '17, 03:47