Display IPV4 during tracing



I have a problem I can not switch the display from the source address from a Mac format to a IPV4 Format, I have taken a picture.

I would be very glad If somebody can help me.


Götz alt text

asked 23 Jul '17, 12:10

You haven't provided much information, dear Watson, but it is obvious that you use monitoring mode of your wireless interface, the WLAN you have captured is encrypted, and you haven't provided Wireshark with enough capture data (the EAPOL negotiation) or configuration (the WPA passphrase). Therefore, only MAC addresses are visible, as the rest of the frames, including the IP address part, is encrypted.

(if I'm wrong, kindly provide more information about your capture setup).

(23 Jul '17, 12:24) sindy

You are not wrong what I have to do see more ? Or what kind of information did you need? Watson

(23 Jul '17, 12:26) macosx

One Answer:


All the wisdom related to the task is concentrated at this Wireshark Wiki page.

Don't miss the following paragraph on that page:

WPA and WPA2 use keys derived from an EAPOL handshake, which occurs when a machine joins a Wi-Fi network, to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture.

To ensure the presence of EAPOL packets in the capture, you have to log off and back on that WLAN on every single client whose traffic you want to decrypt (switch WiFi off and on, or log on to another SSID and back to this one, or go to sleep mode of the device and than back again, ...)

Plus be aware that if the card you use for monitoring doesn't support the same WiFi modes like the client, or if it is too far from the client or from the AP, you may not capture a good deal of the traffic.

answered 23 Jul '17, 12:48

