Ask Your Question
0

HTTP packet not showing in monitor mode (rtl8812au)

asked 2019-09-01 17:38:14 +0000

ScreenName gravatar image

Hello there,

I'm trying to demonstrate the network sniffing of an HTTP connection.

I have a RTL8812AU (USB wireless adapter).

I set it to monitor mode, and I verified it IS applied when capturing packets.

I also set the WEP key and enabled the decryption, so Wireshark can decrypt the packets.

When capturing the traffic, I DO SEE the normal traffic going on (unencrypted). But it looks like not all HTTP traffic is correctly captured (I used another device, connected to the same access point to access http websites).

I see sometimes some HTTP packet, but most of them or .PNG/.GIF/Javascript/CSS files. I just have seen once a HTTP 200 OK in html. Most of the trafic is not showing up. And I did test different HTTP websites, with different devices, all connected to the access point.

My question is: how is it possible that only some HTTP packets get captured? I also installed the driver (realtek-rtl88xxau-dkms) on my Kali machine. Wireshark version and Kali version are the latest.

Any help would greatly be appreciated! Regards.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2019-09-02 00:18:50 +0000

Bob Jones gravatar image

The wifi adapter has to be able to pick up the test traffic; the performance envelope has to be as big, or bigger, than the test traffic when it comes to things like spacial streams, bandwidth, MCS Index, and other details like guard interval, LDPC encoding, and distance from the transmitter.

This really applies to the higher modulations (i.e. datarates) that data frames use (usually QoS Data) - control and management traffic is usually sent at low modulations so is easily picked up.

So why do see some, but not all? The transmit datarate is not fixed; there is a selection algorithm to choose the encoding and datarate of any given frame. It is usually up to the max, but the poorer the communications (say signal to noise ratio, etc) the lower the datarate. So I suspect the frames you do see are sent at non-maximum datarates. The rest are sent outside of the performance envelope of your capture system so you miss these frames. However, you probably still see the control frames associated with these, anyway, like ACKs/BlockACKs, CTS/RTS, etc.

The rtl8812 and 8814 USB chipsets seem to have a problem picking up frames sent with a bandwidth greater than 20MHz. Even though they seem to support it at the software level, I can't get either one to pick up 40 or 80MHz frames, though the 8814au tested will do 3SS and LDPC, but must be 20MHz. This could be a configuration issue but my other adapters work with the same setup, so perhaps you are seeing the same thing: the highest datarate frames are missed by the adapter. You should not have any 80MHz traffic on 2.4GHz, and even 40MHz is not good for any type of large, professional installation. You did not say what band you are working on.

To try and pick them all up, limit your bandwidth to 20MHz either at the AP or client side, as a start. Get closer to the transmitter, and have various capture adapters to test with.

Also, the industry moved away from WEP, I don't know, maybe 15 years ago? WEP can be cracked in minutes... I hope this is a test. If not, seriously, time to update long ago.

Funny, though, often APs need to use AES (through WPA2) and WMM to get maximum performance. So a real WEP selection would limit datarates making it much easier to pick up traffic. So something does not seem right - this conflicts with my explanation. But you have not provided enough information to definitely determine the full communications profile to know for sure what is wrong.

edit flag offensive delete link more

Comments

That was a very useful and interesting answer! Big thanks to you.

I was working on 2.4Ghz, and yes WEP is only for the example.

I guess the wireless adaptor I use is probably "too cheap" to pick up higher frequencies frames... That would also mean that some pictures (or static content in general) are transmitted with lower frenquencies?

I'm not sure I can limit the bandwidth on my installation, but I guess I will go for another adapter (I have seen that the aircrack wiki doesn't even mention anywhere the chipset I'm using...).

Thank you again for your help and have a nice day.

ScreenName gravatar imageScreenName ( 2019-09-02 07:53:17 +0000 )edit

As an additional question, how do I limit the bandwitdh at the client side (Kali)? Thank you.

ScreenName gravatar imageScreenName ( 2019-09-02 22:15:03 +0000 )edit

If the client is Linux, you may have to use wpa_supplicant manually to force what you want. I don’t know if NetworkManager can do it. Look for disable_ht40 parameter in the config file. There are plenty of google references to using this by hand, only suggestion is to disable network manager first so it stops trying out to take control.

Bob Jones gravatar imageBob Jones ( 2019-09-02 22:44:43 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2019-09-01 17:38:14 +0000

Seen: 1,404 times

Last updated: Sep 02 '19

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2