Ask Your Question
0

Can I capture internet traffic between an AP and a connected wireless device when in monitor mode?

asked 2020-01-06 10:36:56 +0000

codecowboy gravatar image

updated 2020-01-06 10:38:36 +0000

I have my wifi interface in monitor mode, I can capture 802.11 protocol packets. If I set a capture filter to filter traffic on port 443 and then refresh an https site on a mobile device, I don't see any packets.

Is it only possible to show management / control data between an AP and a client when in monitor mode?

I'm using Wireshark 3.2.0 on MacOS Catalina.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-01-06 15:05:12 +0000

Amato_C gravatar image

updated 2020-01-06 16:50:26 +0000

grahamb gravatar image

I would recommend reading the following 2 wiki pages regarding WiFi capturing using Wireshark:

https://wiki.wireshark.org/CaptureSet...

https://wiki.wireshark.org/HowToDecry...

Questions:

  1. Is the data encrypted on WiFi? If yes, you should see Data and/or QoS Data frames in your capture.
  2. Are you able to decrypt the data? You will need the SSID and WiFi passphrase. You will also need to capture the 4 EAPOL keys - assuming that personal WiFi encryption is being used.
  3. If after decryption, can you see any HTTP/HTTPS traffic?

If you are trying to capture traffic from a particular WiFi client, it might be better to create a capture filter to capture only frames to/from that device.

Hope that helps

edit flag offensive delete link more

Comments

Thanks for your answer. In the first instance, I just wanted to know if it should be possible to capture data traffic between two devices on a wireless network to which I am not currently connected (because the adapter is in monitor mode). The first link seems to say that on MacOS, only non-data frames can be captured

codecowboy gravatar imagecodecowboy ( 2020-01-06 16:17:06 +0000 )edit

Sorry, I have never captured WiFi traffic using a Mac. But you should be able to capture data traffic between 2 devices via WiFi in monitor mode. I am not certain if there are any special commands that are needed to configure the adapter to monitor mode, configure the adapter to a specific WiFi channel (i.e., the channel that is being used between the 2 devices), and then start the capture.

For Linux, you must set the adapter to monitor mode then set the WiFi channel to capture the wanted traffic

Amato_C gravatar imageAmato_C ( 2020-01-06 17:22:53 +0000 )edit
1

If you have a Mac, try this tool for helping prep the adapter for capture:

https://www.adriangranados.com/apps/a...

The first link seems to say that on MacOS, only non-data frames can be captured

I interpret the link different - you will only get non-data frames if you are in monitor mode. If you just turn on a capture to the interface without monitor mode first, you will get fake Ethernet frames and none of the 802.11 control and management traffic will be present.

Bob Jones gravatar imageBob Jones ( 2020-01-06 20:27:20 +0000 )edit

I interpret the link different - you will only get non-data frames if you are in monitor mode.

Your interpretation is correct.

Guy Harris gravatar imageGuy Harris ( 2020-01-07 01:48:36 +0000 )edit

Thanks all. After investigating a bit further, I think the data frames are being captured and explicitly setting the channel with airport -c seems to help but I'm not 100% sure. Having been used to passing traffic through a proxy and being able to see individual http requests and responses, the captured packets are quite alien to me. I'm guessing that the encrypted data frames will contain that information; protocol, headers, contents of POST requests etc

codecowboy gravatar imagecodecowboy ( 2020-01-07 07:45:39 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-01-06 10:36:56 +0000

Seen: 2,755 times

Last updated: Jan 06 '20

Related questions

Wireless controls are not supported in this version of wireshark

Data packets not captured

Computer compromised through Steam personal/financial information stolen HELP [closed]

How to switch Mac OS NIC to monitor mode during use internet

Wireshark noticed Error always when pcap file captured from wireless diagnostics app in MacBook Pro is opened

only seeing acks with tshark

Does wireshark show the number of MPDUs in a A-MPDU?

get active users from pcap file

How to fix "The capture session could not be initiated on interface" (You don't have permission to capture on that device)

Forcing Mac OS X to reconnect in monitor mode

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2