Ask Your Question
0

only seeing acks with tshark

asked 2018-02-08 16:29:29 +0000

anonymous user

Anonymous

I'm sniffing a 5Ghz wifi link with tshark on a macmini, and I'm coming across an odd problem -- when I send data over the link, I can only see the acks, no matter the protocol I use. For ICMP and SSH, I only see a bunch of packets like these:

42   1.143265              → AP_MAC (AP_MAC) (RA) 802.11 39 Acknowledgement, Flags=........C
43   1.145447              → STA_MAC (STA_MAC) (RA) 802.11 39 Acknowledgement, Flags=........C

When I try using iperf, I get something slightly different but still don't see the actual data:

1648   3.261866              → STA_MAC (STA_MAC) (RA) 802.11 39 Clear-to-send, Flags=........C
1649   3.261936 AP_MAC (AP_MAC) (TA) → STA_MAC (STA_MAC) (RA) 802.11 57 802.11 Block Ack, Flags=........C
1650   3.262047              → STA_MAC (STA_MAC) (RA) 802.11 39 Acknowledgement, Flags=........C
1643   3.256366 STA_MAC (STA_MAC) (TA) → AP_MAC (AP_MAC) (RA) 802.11 57 802.11 Block Ack, Flags=........C

All the lower-level protocols show up fine -- I see beacons, etc, perfectly clearly. I'm not using any capture filters (my command is tshark -Ii en1). What's going on here?

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2018-02-08 17:32:55 +0000

Bob Jones gravatar image

I observe this type of behavior most often when the capture capability is not within the envelope of the network capability. For instance, the devices transmitting and receiving are able to communicate using 802.11ac rates, but capture capability is 802.11a only; or the data frames supports LDPC but the sniffer does not, etc. Note that control and management frames use much lower data rates, usually, than data frames, so these are often picked up relatively easily while data frames can be full speed, up to the capability limits (802.11n, 802.11ac, spatial streams, MCS index, et al).

There are other potential root causes, one that comes to mind is trying to capture on the same interface you are communicating on; this usually produces unusual capture results so I do never recommend this. Use a separate adapter to capture.

edit flag offensive delete link more

Comments

Thanks for the prompt response! I'm definitely not communicating on the same interface I'm capturing on, but the capture capability disconnect sounds like it might be in the right direction. Let me see if I can see different results if I rate-limit in different ways.

lihubear gravatar imagelihubear ( 2018-02-08 17:42:11 +0000 )edit

This was exactly the problem, thanks!

lihubear gravatar imagelihubear ( 2018-02-08 18:34:30 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-02-08 16:29:29 +0000

Seen: 953 times

Last updated: Feb 08 '18