Ask Your Question
0

mac capture monitor-mode empty

asked 2019-10-24 05:37:28 +0000

dlin gravatar image

I have a network, which has 2 nodes (a phone, a MacBook) both are connected to same wireless network, I know the SSID and password for the wireless network:

  • password: mypassword
  • ssid: myssid
  • security: WPA2 Personal

My Capture Interface Settings: (Wi-Fi: en0)

  • default buffer size 2 MB
  • link layer header type: 802.11 plus radiotap header
  • monitor mode: checked
  • promiscuous mode: checked

My Wireshark - Preferences (Under Protocols > IEEE 802.11)

  • Reassemble fragmented 802.11 datagram packets: checked
  • ignore vendor specific HT elements: unchecked
  • call subredisetor for retransmitted 802.11 frames: checked
  • assume packets have FCS: unchecked
  • Ignore the protection bit: Yes with IV
  • Enable WPA Key MIC Length Overrride: unchecked
  • WPA Key MIC Length override: 0
  • Enable decryption: checked
  • decryption keys:
    • key type: wpa-pwd
    • key: mypassword:myssid

I start capture mode, but unlike this post: https://osqa-ask.wireshark.org/questi... I'm not able to get any packets! If I make a call to http://foobar.com from my macbook, nothing gets listed. I would expect Wireshark to be able to pick that up.

I've also tried to:

  1. turn my phone and turn back on to reconnect to the network

  2. make an HTTP request to foobar.com

But this didn't log anything either

I have no filters present. I've also checked out https://wiki.wireshark.org/CaptureSet... and https://wiki.wireshark.org/HowToDecry..., but I must be missing something.

Any thoughts on what could be going wrong? Is there any more information that I can provide?

edit retag flag offensive close merge delete

Comments

What happens if you run tcpdump -i en0 -I? Does it print anything?

Guy Harris gravatar imageGuy Harris ( 2019-10-24 17:41:13 +0000 )edit

$ tcpdump -i en0 -I

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on en0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes

It just kinda hung after that last line, Should it have printed something?

When I cancel it it says 0 packets captured, 0 packets received by filter, 0 packets dropped by kernel

dlin gravatar imagedlin ( 2019-10-25 04:05:54 +0000 )edit

Same problem for me. Brand new MacBook Pro 15" with Wireshark 3.0.6. I can capture without the tap header (useless), but no packets at all when monitor mode is used in Wireshark and also no packets when using tcpdump as asked above. Could this be a permissions issue (just speculating)?

NJL gravatar imageNJL ( 2019-11-26 16:22:17 +0000 )edit

What happens if you hold down "Option" and click on the Wi-Fi icon in the menu bar, select "Open Wireless Diagnostics" from the menu, and:

  • don't click "Continue" in the "Wireless Diagnostics" window, but, instead, click "Window" in the menu bar and select "Sniffer";
  • click "Start" in the Sniffer window.

Does the Wi-Fi icon in the menu bar show the usual curved bars, or does it show a grey area with an eye-shaped white area at the top, with the white area containing a black dot looking like the pupil of the eye-shaped area?

Guy Harris gravatar imageGuy Harris ( 2019-11-26 20:00:23 +0000 )edit

Could this be a permissions issue (just speculating)?

It's unlikely to be a permissions mode on the BPF devices - tcpdump would have quickly reported a permissions error in that case.

Guy Harris gravatar imageGuy Harris ( 2019-11-26 20:07:57 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-11-27 17:58:22 +0000

Guy Harris gravatar image

any idea why Wireshark doesn't handle this on it's own?

Probably because Apple, in their infinite perversity, changed something, so that there's another step in the "turn monitor mode on" dance that Wireless Diagnostics is performing but libpcap (which is what both tcpdump and Wireshark rely on to turn monitor mode on) isn't performing, or so that there's some extra entitlement, which Apple gave to Wireless Diagnostics, required to turn on monitor mode.

This works without a hitch on my older MacBook Pro running an older OS version....

It might be an issue with drivers for newer Wi-Fi adapters.

edit flag offensive delete link more

Comments

OK, what happens if you do

sudo tcpdump -i en0 -I

and enter your password when it prompts for a password?

Guy Harris gravatar imageGuy Harris ( 2019-11-27 18:15:37 +0000 )edit

Thanks for the suggestion, but unfortunately it doesn't work either. The "native" Apple way of enabling sniffer mode works, so I'll probably just use that going forward although it's not optimal. Do you happen to know how to get out of sniffer mode and "back" into the normal Wifi-functionality? I had to do a full restart in order to fix it, as turning Wifi off and back on didn't help and I cannot find anything where you can undo the sniffer mode....

NJL gravatar imageNJL ( 2019-11-27 19:40:36 +0000 )edit

It's not "The "native" Apple way of enabling sniffer mode", it's "the trickery that wifivelocityd does when it's asked to run tcpdump". If it happens to let processes other than the tcpdump fired off by wifivelocityd capture in monitor mode as well, that's just a side effect.

Do you happen to know how to get out of sniffer mode and "back" into the normal Wifi-functionality?

No. I'm finding this all out by poking at my system to try to figure out what Wireless Diagnostics is doing specially. If running the sniffer from Wireless Diagnostics puts the adapter into monitor mode and leaves it there, that's an Apple bug (probably by the Airport driver people, because it doesn't do that on my older machine), and you'll have to report the bug via Feedback Assistant - you'll probably have to open an Apple developer ...(more)

Guy Harris gravatar imageGuy Harris ( 2019-11-27 19:49:48 +0000 )edit

BTW, what the Wireless Diagnostics sniffer does is run tcpdump, with whatever special magic wifivelocityd does, writing pcap files to /var/tmp. Unless there's something that can be done to replicate that special magic - discovering that will probably involve some time-consuming reverse engineering, and maybe Apple's Lockdown Police will try to disable it once it's discovered - that may be your only way to do monitor mode sniffing on your machine.

Guy Harris gravatar imageGuy Harris ( 2019-11-27 19:53:09 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-10-24 05:37:28 +0000

Seen: 4,071 times

Last updated: Nov 27 '19