 | 1 | initial version |
Running WireShark 4.4.3 with neither, either or both promiscuous and monitor mode boxes ticked I can only see and capture broadcast traffic and traffic directly to/from my MAC.
You can see traffic in monitor mode? That's a surprise, as newer versions of macOS and newer Macs appear not to capture any traffic in monitor mode, except under certain circumstances, such as...
But if I use the MAC's inbuilt Sniffer I can see and capture traffic between all devices,
...capturing with the Sniffer, which I assume here is the one in Wi-Fi Diagnostics.
The program doing the sniffing in that case is called "tcpdump", and it's run with the -I flag, which makes the exact same libpcap calls that Wireshark does to capture in monitor mode.
The difference is that Wi-Fi diagnostics does... something to allow monitor mode to work. My suspicion is that it disconnects from your Wi-Fi network in a fashion that allows traffic capture, but nobody I know of has managed to figure out what that is.
At least at one point, I do remember that, if you run Wireshark while the Wi-Fi Diagnostics Sniffer is running, Wireshark can capture traffic in monitor mode Just Fine.
Unfortunately, using dapptrace may require that I turn system Secret API^W^Wintegrity protection off, so it may be a bit hard to figure out what the secret is.
