Reputation:
Wireshark doesn't capture 802.11 data packets
Lately I have been trying to analyze wifi traffic over my own test router. I looked on the wireshark website on how to do this and setup my own testing network.
my network:
-dd-wrt router with WPA2 personal mixed security using tkip+aes.
-kali linux capture machine with wireshark 1.8.5
-android phone for producing traffic
I then put the wireless interface of my kali laptop into monitor mode user airmon-ng
airmon-ng start wlan0
To check if the created monitor interface(mon0) worked I would use airodump-ng. When I knew that my monitor interface was working, I started up Wireshark. I selected mon0 as capture interface and pressed options. In Capture options I put the mac adress of my router, which I got through airodump-ng, in the capture filter area.
I then would take care of the packet decryption that would be needed for me to see the actual data. I went to the following webpage: http://wiki.wireshark.org/HowToDecrypt802.11
I followed the instructions there.(Only the way I need to put in the decryption keys is different than the key#1 system that is described on the page. I get a new window in which I need to select a security method wep,wpa-pwd or wpa-psk and input the key). I used the wireshark wpa psk generator tool to get the right pre-shared key.
http://www.wireshark.org/tools/wpa-psk.html
Essid: "testnet"
Password: "wachtwoord"
psk: 33fe484e651381b15859e539279f2991c0f5e5e751ef17f82104d4ad528718ca
I put in 2 new keys. One being wpa-pwd with wachtwoord as its value. The second being wpa-psk with the psk mentioned above as its value.
I applied all the settings, and checked the enable decryption checkbox.
So I clicked the start capture button and saw a whole bunch of beacon frames rolling in. I associated my android phone with the AP so I knew I capture the eapol packets(I checked this using the filter and I had all 4 packets).
After filtering with "data", I saw that I didn't capture any data packets.
I then expected to see the actual traffic, but this was not the case. airdecap-ng did not see any WPA packets in the capture file.
My only theory left after hours of puzzeling is lack of driver support. Please tell me what I am doing wrong?
Thank you!
tl;dr: My computer does not capture 802.11 wpa2 data packets, and I can't figure out why.
Upvotes: 1
Views: 4853
Answers (1)
Reputation: 21
Have you checked if you can capture Wifi frames in OPEN/NONE security? If it doesn't work with OPEN/NONE, then you need to fix the setup before being able to capture WPA2/AES traffic.
Steps I used to check Wifi capture setup: - Configure AP as OPEN/NONE (open authentication, no encryption). - Add monitor interface:
$ sudo iw phy phy0 interface add moni0 type monitor
$ sudo ifconfig moni0 up
- Set channel of properly (same between the AP and the laptop). Avoid popular ch1,6,11 (use channel 7, for example) to reduce the amount of captured traffic.
- Some wireless cards do not support monitor mode very well, so it may also be worth to avoid 802.11n, use 802.11b/g only.
Upvotes: 1
Related Questions
- Unable to read packets captured from wifi network using wireshark
- how to capture 802.11 packets in Windows 10 using Wireshark?
- How to capture all wireless network traffic wireshark and wpa2?
- Unable to find traffic for specific device w/ Wireshark (over Wi-Fi)
- Capture Wifi packets using libpcap
- C: libpcap doesn't capture wlan0 packets
- Python Packet Sniffing / Packet Capture - pcapy not capturing packets
- Wireshark captures only 802.11 and LLC
- capturing IEEE 802.11 packets without connecting to the network
- Wireshark and wifi monitor mode failing