Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

but it did not decrypt the traffic

There is a sample file here that is known to work - suggest to try this one before attempting your specific test case. There are also specific requirements that you will need to fulfill to obtain a capture that is decryptable, such as obtaining all four EAPOL frames from device authentication; this is all in the link.

I want to change the mode into monitor mode ... I lose the connection to my WLan

Yes, this is best practice. I would not recommend capturing on monitor mode and using the WLAN adapter in managed mode at the same time. There is unusual behavior here that you will have to chase; you can search this site and you will find others who try to do it. Use monitor mode on the Linux host to capture a DIFFERENT device communicating to the AP, and practice on this traffic.

If you feel you must capture and use the adapter at the same time, you want to use the iw command to create a virtual interface. You would create a monitor mode interface in this case.

The prototype from my version:

iw phy <phyname> interface add <name> type <type> [mesh_id <meshid>] [4addr on|off] [flags <flag>*] [addr <mac-addr>]
                Add a new virtual interface with the given configuration.
                Valid interface types are: managed, ibss, monitor, mesh, wds.

                The flags are only used for monitor interfaces, valid flags are:
                none:     no special flags
                fcsfail:  show frames with FCS errors
                control:  show control frames
                otherbss: show frames from other BSSes
                cook:     use cooked mode
                active:   use active mode (ACK incoming unicast packets)
                mumimo-groupid <GROUP_ID>: use MUMIMO according to a group id
                mumimo-follow-mac <MAC_ADDRESS>: use MUMIMO according to a MAC address