This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark only sniffs my device’s (Mac OS X) traffic on my wifi network. Monitor mode not helping

0

The packets coming through are all from my own device, but the other devices connected to my wireless network (a PC, and a mobile phone) are not showing up at all. I did some research, and put it in "monitor mode", but doing that changes the way the captured data looks. They are no longer color coded, they are just plain text, and it doesn't seem to be tracking any of the information I want, all the results are now protocol: 802.11

The only way to fix it, is to uncheck monitor mode, but doing that will only show me my own traffic. Any idea what I should do?

asked 12 Mar '13, 22:33

dingoes45's gravatar image

dingoes45
1112
accept rate: 0%


One Answer:

2

I did some research, and put it in "monitor mode", but doing that changes the way the captured data looks. They are no longer color coded, they are just plain text,

That's probably because your network is encrypted (WEP or WPA/WPA2), and, when you capture in monitor mode, the unencrypted packets are given to Wireshark by the kernel (BPF).

If you are on an encrypted network, and you want to capture other machines' traffic, you will have to get the password for your network, and configure Wireshark to be able to decrypt that traffic. For WPA/WPA2, this means that you will need to capture the traffic from those machines at the beginning of an encrypted session, which may require you to disconnect them from the network, start Wireshark, and reconnect them to the network. (After all, the whole point of encrypting a network is to make it harder to sniff it....)

answered 12 Mar '13, 22:53

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks, that's what I figured. I did, however, try that as well. And assuming I understood it correctly, I entered wpa-pwd:(password):(ssid) into the field. It still changes nothing in terms of the results I see when on monitor mode.

(12 Mar '13, 23:04) dingoes45

Is there something else I should be doing after I enter the network information?

(12 Mar '13, 23:09) dingoes45

Note that, as I said in my answer, if your network is a WPA/WPA2 network, you can only decrypt traffic to or from a given machine if you capture the initial EAPOL handshake. As the Wireshark Wiki page I linked to says:

WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture.

(13 Mar '13, 01:27) Guy Harris ♦♦