This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

“Capture packets in monitor mode” option does not work/ unable to scan any http traffic other than my own

0

Hi! I'm using linux mint which is an ubuntu dist., wireshark v1.4.6, installed it just a week ago. I have several computers connected to the same wireless network and I want to be able to see all the traffic. Using wlan0, I can only monitor my own traffic (i.e. of the computer running wireshark). Tried to check the "capture in monitor mode", it blinks and remains blank. Tried to enable the monitor mode via airmon-ng so I get the mon0 interface, I can use it with wireshark but it does not scan http traffic, shows only IEEE 802.11 as protocol during scanning and again the "capture in monitor mode" option does not work. Is there something I can do?

asked 02 Jan '12, 03:09

John%20mech's gravatar image

John mech
6113
accept rate: 0%

Are you using encryption on the WiFi network?

(02 Jan '12, 03:12) Landi

No I don't

(02 Jan '12, 04:37) John mech

are you capturing your own traffic or are you sniffing other clients http traffic plus did you set mon0 to the specific channel during airmon-ng ?

(02 Jan '12, 04:59) Landi

I can capture the http traffic of the computer running wireshark only, and only if I use wlan0. I want to capture the http traffic of all computers connected to my wireless network. I didn't specify a channel during airmon-ng, I used it only to enable a monitoring interface, mon0.

(02 Jan '12, 06:08) John mech

then start with specifying airmon-ng start wlan0 <channelnumber> to make sure you are steadily sniffing on the same channel.

If you then don't see your own http traffic, I would guess it is the same problem that all the other posters of your question had - that is, that you have to capture your http traffic from another wireless client to see all the frames

(02 Jan '12, 06:12) Landi

I can see my own http traffic, but only using wlan0. I did what you suggested, didn't notice any difference. Again, if I use mon0, I only scan some IEEE 802.11 protocol, no http at all, neither mine, nor of any computer connected to my wireless network. After all, the monitor mode switches from channel to channel by default so I would be able to see some activity even if I didn't specified a channel.

(02 Jan '12, 06:44) John mech

have you tried to locate http inside 802.11 data flagged frames? Just go for the largest frames and take a look inside (maybe try decode as...)

If all of that doesn't work, I'm out of ideas unless you provide some sort of tracefile to analyze.

(02 Jan '12, 07:15) Landi

decode as... is grayed out, cannot use it. I can't locate anything. What kind of file would help?

(02 Jan '12, 14:55) John mech

The monitor mode I've seen on Linux, *BSD, and Mac OS X does NOT switch from channel to channel by default. An application can explicitly switch channels if it's capturing in monitor mode, but Wireshark doesn't support that.

As for "What kind of file would help?", the answer is "the file you save from Wireshark after capturing some traffic on mon0" - that's what a "tracefile" is, it's also called a "capture file", and it's what gets saved from a network analyzer such as Wireshark.

(02 Jan '12, 19:27) Guy Harris ♦♦
showing 5 of 9 show 4 more comments

2 Answers:

2

They are inside your trace - filter for "wlan.fc.type_subtype == 0x20" and there you have your TKIP encrypted data frames containing http and all other packets you are looking for.

So to see the traffic, you have to decode the trace first, which is the difference when capturing on your wlan0 interface, where the traffic has already been decrypted before you see it in wireshark (but of course only your own traffic since it's not mon0)

All you need is in the wiki under http://wiki.wireshark.org/HowToDecrypt802.11

answered 04 Jan '12, 06:54

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

Thanks Landi and sorry for messing this up :) Still, I can't see any http traffic though. I don't know what I'm doing wrong, since wiki has a sample trace you can download and which, after entering the WEP key, reveals http traffic. So I think I'm doing this right. No matter what I do with my WPA key however, it does not reveal http traffic in my case:( In fact, it doesn't seem to decrypt anything at all. My wireshark version does support wpa decryption, and I tried entering the key in various forms: wpa-psk:7jp50i[...]kbrfyq as well as wpa-pwd:7jp50i[...]kbrfyq:G-VIRUS nothing :(

(04 Jan '12, 09:40) John mech

I don't know what I'm doing wrong

Not disconnecting all machines from the wireless network, starting a capture, and then reconnecting machines to the network. As the "How to decrypt 802.11" page that both I and Landi pointed you to says:

"WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture."

Disconnecting and reconnecting should force that handshake.

(04 Jan '12, 11:21) Guy Harris ♦♦

Thanks a lot guys, I'll try it again this way. I don't think I would have figured it out without you!

(06 Jan '12, 07:11) John mech

0

You may find this question useful. As for sniffing traffic other than yours you may want to try a man in the middle attack through arp spoofing in order to hijack the other machines' packets to your machine (there are many applications which can do it, e.g. ettercap) and then use wireshark to sniff the traffic.

answered 02 Jan '12, 18:56

Rael's gravatar image

Rael
6114
accept rate: 0%

So there is no way for me to scan the http traffic of all computers connected to my wireless network just with wireshark? Wireshark can from itself only analyze the traffic of the computer it is running on?

(03 Jan '12, 00:34) John mech

Wrong - wireshark can perfectly "scan" (meaning interpret) every trace file you load. Plus with a correctly setup mon0 monitor mode interface, wireshark can also analyze all the traffic on a specific channel

(03 Jan '12, 00:49) Landi

I didn't mean scan like interpret a trace file I load, I meant monitoring the (foreign) traffic. Its reasonable that it would "interpret" every trace file I can load.

@Rael, I tried using ettercap, won't work either, different reason this time (it disconnects the "victim" from the internet, i.e. does not forward the packets it receives to the "victim", thus cutting its access to the internet). Nothing seems to work...

(03 Jan '12, 15:41) John mech

OK, as Landi said, "Plus with a correctly setup mon0 monitor mode interface, wireshark can also analyze all the traffic on a specific channel", so it can "scan" in that sense.

Now, if the traffic is encrypted, its ability to analyze that traffic is obviously limited by its ability to decrypt it; that requires that you have the password for the network AND, for WPA or WPA2, that you capture the initial handshake. See the Wireshark Wiki "How to decrypt 802.11" page for more information.

(03 Jan '12, 16:59) Guy Harris ♦♦

But I own the network and I'm no expert, but to the best of my knowledge, it's not encrypted! I also know the password, in fact the computer running wireshark is connected to this network.

(04 Jan '12, 02:04) John mech

"It's not encrypted" and "I also know the password" cannot both be true. "The password" is, in the case of WEP and WPA pre-shared key mode, used for encryption of packets.

If you own the network, and it's not an ad-hoc network, go fire up a utility for configuring the access point and see how it's configured and, if it's configured for WEP or WPA, what the password is.

(04 Jan '12, 02:34) Guy Harris ♦♦

You're right, that was stupid of me. I thought packet encryption was something different than gaining access to the network by entering the wpa key. So yes, it is encrypted. But the computer running wireshark is already connected to the network. So what's missing? By the way, I uploaded a trace file of what mon0 captures when I run wireshark, http://uploading.com/files/253466m7/packets.cap/

(04 Jan '12, 06:41) John mech

That's why I asked you if a) there is encryption and b) to look for the data frames by sorting for packet size

would have made this discussion very short :)

(04 Jan '12, 06:56) Landi
showing 5 of 8 show 3 more comments