Packets shown are mostly 802.11 despite open network
hi guys, I'm currently trying to see if it's possible to sniff MQTT packets between two raspberry pi's from a wireless adapter in monitor mode attached to my PC.
I ran the following command on my PC (Kali Linux):
sudo airmon-ng start wlan1 11
where the wifi network my rPi's are on is operating on channel 11. For simplicity, I left the network as an open network i.e. no password, disabled encryption.
So I started publishing data from one rPi and subscribing on the other using the Mosquitto broker and a script to publish data in 2-second intervals. Using putty I am able to see that the devices are indeed successfully sending and receiving the correct MQTT packets. I launched wireshark and selected the wlan1mon interface to sniff on, but there were no MQTT packets being sniffed even when i typed "mqtt" into the filter. Rather, I entered "wlan.addr_resolved == raspberrypi.local" and saw large blocks of "Request-to-Send", "Clear-to-Send" and block acknowledgement packets marked with the protocol "802.11" to and from the router occurring in 2-second intervals, with some ARP, MDNS and ICMPv6 packets scattered into the mix.
The blocks of RTS/CTS and block ACKs occurring in the same time intervals as my MQTT communications seem to strongly indicate that the MQTT packets are indeed being detected but not explicitly being identified as MQTT.
I'm currently using the Alfa AWUS036NH adapter to sniff in monitor mode. Would really appreciate some advice as to what I could possibly be doing wrong or if it's even possible to do what I'm trying to do, I've been stuck on this for quite a long time ^^
P.S. I noticed that filtering the ip.addr of my rPi does not yield the same results as wlan.addr_resolved, is there a reason for that? Sorry I'm quite new to this stuff
Regards, Eugene