Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2023-07-30 16:27:06 +0000

petemahndahar gravatar image

Ok, I figured it out and want to post the answer for other people on how it worked for me. I don't know why the sequence of events is important, but it is important.

First have your phone forget the wifi connection so it disconnects and doesn't have the password saved.

You basically want to start with nothing going:

sudo service NetworkManager stop

sudo ip link set <interface> down

create a virtual interface that can be on and on monitor mode while Network Manager is down:

sudo iw phy phy0 interface add mon0 type monitor

sudo ip link set mon0 up

Start up wireshark.

Go to Edit -->Preferences --->Protocols ---> IEEE 802.11. Make sure "Enable decryption" is checked. Edit and add decryption keys. Enter your password for wpa-pwd and/or psk key for wpa-psk. Hit OK. Without doing this you won't be able to see anything other than the eapol traffic.

Go back to the welcome page and click on mon0. Filter for "eapol" because this will show when a new device enters the network and you can confirm that your phone is being seen by wireshark.

Connect your phone to the wifi network by entering the password. You should see eapol traffic now. You can confirm by looking at the mac address.

Now you can filter by dns and http or whatever you want to filter for and see the traffic!

click to hide/show revision 2
No.2 Revision

updated 2023-07-31 08:23:44 +0000

grahamb gravatar image

Ok, I figured it out and want to post the answer for other people on how it worked for me. I don't know why the sequence of events is important, but it is important.

First have your phone forget the wifi connection so it disconnects and doesn't have the password saved.

You basically want to start with nothing going:

sudo service NetworkManager stop
 
stop
sudo ip link set <interface> downdown

create a virtual interface that can be on and on monitor mode while Network Manager is down:

sudo iw phy phy0 interface add mon0 type monitor
 
monitor
sudo ip link set mon0 upup

Start up wireshark.

Go to Edit -->Preferences --->Protocols ---> IEEE 802.11. Make sure "Enable decryption" is checked. Edit and add decryption keys. Enter your password for wpa-pwd and/or psk key for wpa-psk. Hit OK. Without doing this you won't be able to see anything other than the eapol traffic.

Go back to the welcome page and click on mon0. Filter for "eapol" because this will show when a new device enters the network and you can confirm that your phone is being seen by wireshark.

Connect your phone to the wifi network by entering the password. You should see eapol traffic now. You can confirm by looking at the mac address.

Now you can filter by dns and http or whatever you want to filter for and see the traffic!

traffic!