no data packet except broadcast or multicast

asked 2018-01-30 06:02:36 +0000


I am capturing with a TP-Link TL-WN722N in monitor mode and promiscious mode on channel 1 (HT40+) on a wifi n and I don't see any data frames/packets except the ones to broadcast (ff:ff:ff:ff:ff:ff) or multicast (33:33:00:00:00:01, or 01:00:5e:7f:ff:fa) MAC addresses.

I see the control and management frames. No problem there. But for the data frames (type:2, subtype: 0), there are only the ones addressed to the mac above which are broadcast or multicast.

Why ? Is there a config or a switch I need to set ? Is it a driver or hardware problem ?

It is not only with wireshark but with tshark, always on ubuntu 17.10 on a Dell Insprion 15 3521.

But also with tshark or scapy on a rpi3 running archlinux-arm

Basic question to try to figure out what is happening:

Probe responses are unicast - do you see them? Also 802.11 ACKs are unicast - do you see them? Can you either confirm or refine the problem statement - are you not gettting ANY unicast, or is it only Data unicast that you do not get?

Bob Jones gravatar imageBob Jones ( 2018-01-30 16:35:38 +0000 )edit

I see unicast Probe Responses and ACKs. I was told that Data frames are not used anymore in wifi n and ac. And effectivily, I see QoS data frames growing rapdily when thereis traffic. So, it's the answer ?

CI9s4vbSz gravatar imageCI9s4vbSz ( 2018-01-30 18:09:51 +0000 )edit

So, it's the answer? Yes, it most likely is. Many system won't use 802.11n data rates or higher unless WMM is enabled.

Bob Jones gravatar imageBob Jones ( 2018-01-30 20:27:17 +0000 )edit