Ask Your Question
0

Packet lost while monitoring a Wifi connection

asked 2020-01-09 13:24:35 +0000

Charly gravatar image

updated 2020-01-10 10:35:47 +0000

Hi, I have a VNC connection between one of our devices (1) and my computer (2). From time to times the VNC display would freeze for a few second. I suspect some lost of packets on the Wifi (signal strength is not very high).
So I setup another computer (3) to spy on the exchange. On that computer (3) with Wireshark and promiscuous mode (I filter the capture with the tcp port). My problem is that I received only 2 frames in about 10 minutes (While I see dozens per second on the computer(2)). Can someone explain that big a difference ?
On the spying computer (3), if I remove the filter and restart the capture in monitoring mode, I can see a lot of exchanges (protocol 802.11) between my computer (2) and the device (1). How come, I can see the exchange on 802.11 but not TCP/IP ?

edit:

  • The Wifi is opened, i.e. there's no encryption.
  • Both computers (2) and (3) can ping device (1) -- (although after I start a capture in monitor mode ping stops)
  • Both computers (2) and (3) use channel 1
    $ iwlist wlan0 channel | grep "Current"
    Current Frequency:2.412 GHz (Channel 1)
  • I did a capture in monitor mode without filter. It's a tiny bit better. I can monitor the traffic for about 1s. And then nothing, even though the VNC connection between the device (1) and the computer (2) is still active. And when I stop and restart the VNC connection on computer (2) I receive another batch of frames (~100) in the first second and then nothing. This does not make sense to me.
  • When I stop the capture in monitor mode, I get an error "Unknown message from dumpcap, try to show it as a string: Can't restore interface wlan0 wireless mode (SIOCSIWMODE failed: Operation not permitted). Please adjust manually."
edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-01-09 15:00:15 +0000

Amato_C gravatar image

You need to be capturing in Monitor mode on the "spying computer", your device #3 listed above. See the link below and read the difference between promiscuous and monitor mode:

https://wiki.wireshark.org/CaptureSet...

Also please verify that you have the "spying computer" to be set to the same WiFi channel as #1 and #2 are utilizing - i.e., the same WiFi channel used by your your WiFi network.

Also, verify that you are decrypting the packets in WiFi. For more information, please read:

https://wiki.wireshark.org/HowToDecry...

My recommendation would be capture the traffic, save the capture, and then decrypt the traffic to see if you have capture the required data. Then you can apply a display filter in Wireshark to view only wanted traffic such as filter only on WLAN MAC address of device #2 and TCP traffic.

Hope that helps

edit flag offensive delete link more

Comments

Thanks for your reply. I edited my question to answer your interrogations.

Charly gravatar imageCharly ( 2020-01-10 10:36:23 +0000 )edit

Some other things to try:

  1. Verify that the driver being used with your WiFi adapter supports monitor mode. I am assuming it does, but I would just verify if there is a more recent version.

  2. I saw a similar post awhile ago. It is 6 years old, so not sure if it will work: https://unix.stackexchange.com/questi...

  3. Use the Linux command "iw dev wlan0 set type monitor" to set the adapter in monitor mode. I am not certain how you are setting your adapter in monitor mode.

  4. You could use dumpcap or tcpdump to capture the traffic then open the capture in Wireshark to analyze.

Hope that helps

Amato_C gravatar imageAmato_C ( 2020-01-10 19:02:15 +0000 )edit

@Amato_C : This old post helped me because airmon-ng tells me to kill some process. And when I kill them it allowes me to turn on monitor mode on another computer where the capture works fine. So I now have a satisfying solution to my problem even though it does not really answer the questions in the post. Thanks a lot

Charly gravatar imageCharly ( 2020-01-13 15:20:34 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2020-01-09 13:24:35 +0000

Seen: 1,306 times

Last updated: Jan 10 '20

Related questions

promiscuous mode windows 10 not working

no data packet except broadcast or multicast

Can I capture WIFI Direct P2p packets?

Cannot find wlan device (monitor mode) in device list / Linux mint

Sniffing (forwarded) wifi packets using promiscuous mode

802.11 Sniffer Capture Analysis deauth packets with wireshark

what is the capture/display filter to get RSSI information of WiFi users?

What is the difference between wlan.duration and wlan_radio.duration

Confused about wifi sniffing

Explanation for Difference in WLAN Captures

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2