 | 1 | initial version |
but it did not decrypt the traffic
There is a sample file here that is known to work - suggest to try this one before attempting your specific test case. There are also specific requirements that you will need to fulfill to obtain a capture that is decryptable, such as obtaining all four EAPOL frames from device authentication; this is all in the link.
I want to change the mode into monitor mode ... I lose the connection to my WLan
Yes, this is best practice. I would not recommend capturing on monitor mode and using the WLAN adapter in managed mode at the same time. There is unusual behavior here that you will have to chase; you can search this site and you will find others who try to do it. Use monitor mode on the Linux host to capture a DIFFERENT device communicating to the AP, and practice on this traffic.
If you feel you must capture and use the adapter at the same time, you want to use the iw command to create a virtual interface. You would create a monitor mode interface in this case.
The prototype from my version:
iw phy <phyname> interface add <name> type <type> [mesh_id <meshid>] [4addr on|off] [flags <flag>*] [addr <mac-addr>]
Add a new virtual interface with the given configuration.
Valid interface types are: managed, ibss, monitor, mesh, wds.
The flags are only used for monitor interfaces, valid flags are:
none: no special flags
fcsfail: show frames with FCS errors
control: show control frames
otherbss: show frames from other BSSes
cook: use cooked mode
active: use active mode (ACK incoming unicast packets)
mumimo-groupid <GROUP_ID>: use MUMIMO according to a group id
mumimo-follow-mac <MAC_ADDRESS>: use MUMIMO according to a MAC address
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.