Ask Your Question
0

Why does Wireshark not capture any data when in monitor mode on my Mac?

asked 2020-03-27 15:52:46 +0000

Chadwick_37 gravatar image

updated 2020-03-28 03:25:42 +0000

Guy Harris gravatar image

Before activating the monitor mode, my computer is able to capture the local packets, but after toggling it, I get nothing. The link-layer header is on 802.11 and I've also run the tcpdump -i en0 -I command in the terminal and no packets showed up. I'm not sure if I'm missing something, but I would really appreciate it if someone could help me figure this out.

edit retag flag offensive close merge delete

Comments

Can you add output of wireshark -v or Help->About Wireshark.
That will show version you are using and the platform it is running on.

Chuckc gravatar imageChuckc ( 2020-03-27 16:08:08 +0000 )edit

I'm running Wireshark version 3.0.5 on macOS Catalina.

Chadwick_37 gravatar imageChadwick_37 ( 2020-03-27 16:14:51 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-03-27 19:57:15 +0000

Guy Harris gravatar image

I've also run the tcpdump -i en0 -I command in the terminal and no packets showed up.

In other words, the answer to your question is the same as the answer to "Why does tcpdump not capture any data when in monitor mode?"

The answer, at least for newer Macs, appears to be "because Apple failed to make monitor mode work normally with Mojave or later on newer machines".

There is the sniffer in Wireless Diagnostics; Option+click the Wi-Fi item in the menu bar, select "Open Wireless Diagnostics...", select the "Sniffer" window from the Windows menu, and start capturing.

Unfortunately, 1) Apple haven't documented what magic they do to make that work (the "sniffer" is tcpdump, but it's apparently handed some Special Privileges to let it capture in monitor mode, and you don't get to, for example, pass a capture filter to it), 2) that appears to disassociate you from whatever wireless network you're on (older Macs could sniff in monitor mode and remain associated; I don't know if that's a hardware or software difference), and 3) I've had trouble reassociating after stopping the capture.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-03-27 15:52:46 +0000

Seen: 5,042 times

Last updated: Mar 28 '20