I'm trying to understand how to capture traffic on my WLAN(WPA2) using Wireshark. I can see the traffic going to and from my Backtrack-PC and Wireshark is able to decrypt it (using the WPA-password and the four EAPOL Key msg), but I can't see any traffic going from other clients on the network. If I deauth a client from my BT-PC I only get two EAPOL Key msg, 1/4 and 3/4, it's missing key 2/4 and 4/4. Why is that?
I've tried different approaches listening on both wlan0 and mon0 but no luck. It seems to me that Wireshark can only capture the WPA-handshake going from the client to the AP and not vice versa. I can't get any data-traffic (like http) from my clients.
Am I doing something wrong here or is it just impossible to capture traffic on WLAN encrypted with WPA2?
This is my config, BackTrack 5 R1 running on a PC with a Alfa AWUS036H (The computer running Wireshark). AP is a ASUS RT-N56U. Clients: one Laptop running BackTrack 5 R1 and one Android-Phone.
BT-tools used, Wireshark (sniffer) airmon-ng (to swith wlan0 into monitor mode) aireplay-ng (to deauth)
asked 18 Aug '12, 03:10
To verify that your capture setup is working please try the following setup:
Compare that trace with your prior tests, if there's more frames in it, you might have an issue with wireshark fiddling with the monitor mode. In any case try not to enable the "promiscuous mode" setting in wireshark when capturing from your mon0 interface and see if that helps.
The AWUS036H is perfectly capable of sniffing WPA2/AES traffic, that should not be an issue. Try to limit your AP to 802.11g for testing purposes.
WLAN is not my specialty, but keep in mind that the WiFi adapter basically works in half duplex mode, so if you're using it as a communication device (and not just as a passive capture card) your outgoing traffic will prevent reading other (incoming) packets at the same time - because the card can either receive or send data (not both). Have you tried removing all IP addresses from your WiFi NIC to see if it works as a capture-only card?