Ask Your Question

No HTTP protocols in scan results

asked 2018-02-03 15:52:28 +0000

molgera gravatar image

My wireless card is in monitor mode. I am using an open WiFi signal with no WEP or WPA validation. When scanning, most frames have a protocol of 802.11, SSDP, or MDNS, everything seems to remain encoded.

In the terminal, using driftnet on the CAP file created by airodump-ng will return

"warning: link-level next protocol (-13107) is not supported"


"warning: unsupported protocol dataframe (40, 192, 39...)"

I have tried searching for this error online with no success. Does anyone knows why this is happening and if this is something that can be worked around?

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2018-02-04 12:23:02 +0000

Bob Jones gravatar image

This looks like it is very tool specific to driftnet and perhaps airodump-ng; it has nothing to do with Wireshark. Your best bet is to ask over at the driftnet github site.

You can ask at or as well but not sure how much luck you will have there.

One comment about packet capture - ssdp and mdns are examples of group traffic (i.e. multicast and broadcast). If you want http that is almost invariably unicast. Be sure your packet capture solution fits within the performance envelope of the traffic you want to capture. You don't provide a packet capture example to verify what you are getting, so we can only guess as to what you may or may not be seeing.

edit flag offensive delete link more


If I talked about airodump-ng and driftnet, it is because I thought it was related to my issue. I first tried urlsnarf, dsniff and driftnet without result, before opening the CAP file with WireShark and seeing that I wasn't getting HTTP results.

I followed the tutorials without changing anything, and if I understand your answer, I would be getting group results? Does it depend on the kind of network I am on? Could it mean this particular open network is protected? It is a free open WiFi service that is provided by the residence I live in, and there is another signal that is WPA protected for the staff (I wondered if it was paired somehow, to encrypt the traffic going through the open WiFi, if that's possible).

If you need a screenshot, here is a picture of a direct recording with WireShark ...(more)

molgera gravatar imagemolgera ( 2018-02-04 13:20:45 +0000 )edit

The actual trace is ALWAYS better than a screenshot.

At least we can see that you capture unicast traffic. Still don't know if your capture technique is capable of picking up the data frames you want. We don't know the adapter you are using, it's capabilities, and the capabilities of the network traffic at large. Without specific information, the recommendations are general.

Make sure your capture system can pick up the data frames you are looking for. If required, either upgrade the capture system or downgrade the network until they match. We also don't know for sure that there is actually http traffic in the stream.

I'd look for Data and QoS-Data frames (wlan.fc.type_subtype == 0x20 and 0x28), and see what types of modulations are present in the trace for the network you want (with a bssid filter). At the same time, I would ...(more)

Bob Jones gravatar imageBob Jones ( 2018-02-04 17:41:25 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-02-03 15:52:28 +0000

Seen: 195 times

Last updated: Feb 04