Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version


If you're capturing in monitor mode, and you're seeing a lot of "802.11" packets being captured, first read the "How to Decrypt 802.11" page on the Wireshark Wiki (a helpful collection of resources). Your network is probably "protected" with some form of Wi-Fi Protected Access (WPA), which is a system for encrypting Wi-Fi packets to make it harder to sniff the network (yes, the fact that it's hard to use Wireshark to sniff Wi-Fi networks is a feature - of Wi-Fi).

That document will tell you how to attempt to decrypt the packets - and how to capture traffic so that it can be decrypted (to decrypt traffic to and from some other machine, your capture has to include the process of that machine associating with the network, so you may have to restart it, or disconnect it from the network and reconnect it, while Wireshark is capturing).

If you're not capturing in monitor mode, you won't see unicast packets, such as streaming traffic, to or from that machine; you'll only see broadcast traffic - such as ARP requests. See the "Linux" section of the "WLAN (IEEE 802.11) capture setup" page of the Wireshark Wiki for information on how to capture in monitor mode (OS vendors seem to go out of their way to make it difficult for an application to just say "please capture on this adapter in monitor mode", so libpcap's ability to do that is somewhat limited; maybe someday I'll have time to make that better).