mac capture monitor-mode empty
I have a network, which has 2 nodes (a phone, a MacBook) both are connected to same wireless network, I know the SSID and password for the wireless network:
- password: mypassword
- ssid: myssid
- security: WPA2 Personal
My Capture Interface Settings: (Wi-Fi: en0)
- default buffer size
2 MB
- link layer header type: 802.11 plus radiotap header
- monitor mode: checked
- promiscuous mode: checked
My Wireshark - Preferences (Under Protocols > IEEE 802.11)
- Reassemble fragmented 802.11 datagram packets: checked
- ignore vendor specific HT elements: unchecked
- call subredisetor for retransmitted 802.11 frames: checked
- assume packets have FCS: unchecked
- Ignore the protection bit: Yes with IV
- Enable WPA Key MIC Length Overrride: unchecked
- WPA Key MIC Length override: 0
- Enable decryption: checked
- decryption keys:
- key type: wpa-pwd
- key: mypassword:myssid
I start capture mode, but unlike this post: https://osqa-ask.wireshark.org/questi... I'm not able to get any packets! If I make a call to http://foobar.com from my macbook, nothing gets listed. I would expect Wireshark to be able to pick that up.
I've also tried to:
turn my phone and turn back on to reconnect to the network
make an HTTP request to foobar.com
But this didn't log anything either
I have no filters present. I've also checked out https://wiki.wireshark.org/CaptureSet... and https://wiki.wireshark.org/HowToDecry..., but I must be missing something.
Any thoughts on what could be going wrong? Is there any more information that I can provide?
What happens if you run
tcpdump -i en0 -I
? Does it print anything?$ tcpdump -i en0 -I
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
It just kinda hung after that last line, Should it have printed something?
When I cancel it it says 0 packets captured, 0 packets received by filter, 0 packets dropped by kernel
Same problem for me. Brand new MacBook Pro 15" with Wireshark 3.0.6. I can capture without the tap header (useless), but no packets at all when monitor mode is used in Wireshark and also no packets when using tcpdump as asked above. Could this be a permissions issue (just speculating)?
What happens if you hold down "Option" and click on the Wi-Fi icon in the menu bar, select "Open Wireless Diagnostics" from the menu, and:
Does the Wi-Fi icon in the menu bar show the usual curved bars, or does it show a grey area with an eye-shaped white area at the top, with the white area containing a black dot looking like the pupil of the eye-shaped area?
It's unlikely to be a permissions mode on the BPF devices - tcpdump would have quickly reported a permissions error in that case.
Ok, the shortcut to Sniffer mode worked, but I couldn't find a way to get out of it again - apart from a complete restart :-D
Any tips - and any idea why Wireshark doesn't handle this on it's own? This works without a hitch on my older MacBook Pro running an older OS version....