# only seeing acks with tshark

Anonymous

I'm sniffing a 5Ghz wifi link with tshark on a macmini, and I'm coming across an odd problem -- when I send data over the link, I can only see the acks, no matter the protocol I use. For ICMP and SSH, I only see a bunch of packets like these:

42   1.143265              → AP_MAC (AP_MAC) (RA) 802.11 39 Acknowledgement, Flags=........C
43   1.145447              → STA_MAC (STA_MAC) (RA) 802.11 39 Acknowledgement, Flags=........C


When I try using iperf, I get something slightly different but still don't see the actual data:

1648   3.261866              → STA_MAC (STA_MAC) (RA) 802.11 39 Clear-to-send, Flags=........C
1649   3.261936 AP_MAC (AP_MAC) (TA) → STA_MAC (STA_MAC) (RA) 802.11 57 802.11 Block Ack, Flags=........C
1650   3.262047              → STA_MAC (STA_MAC) (RA) 802.11 39 Acknowledgement, Flags=........C
1643   3.256366 STA_MAC (STA_MAC) (TA) → AP_MAC (AP_MAC) (RA) 802.11 57 802.11 Block Ack, Flags=........C


All the lower-level protocols show up fine -- I see beacons, etc, perfectly clearly. I'm not using any capture filters (my command is tshark -Ii en1). What's going on here?

edit retag close merge delete

Sort by » oldest newest most voted

I observe this type of behavior most often when the capture capability is not within the envelope of the network capability. For instance, the devices transmitting and receiving are able to communicate using 802.11ac rates, but capture capability is 802.11a only; or the data frames supports LDPC but the sniffer does not, etc. Note that control and management frames use much lower data rates, usually, than data frames, so these are often picked up relatively easily while data frames can be full speed, up to the capability limits (802.11n, 802.11ac, spatial streams, MCS index, et al).

There are other potential root causes, one that comes to mind is trying to capture on the same interface you are communicating on; this usually produces unusual capture results so I do never recommend this. Use a separate adapter to capture.

more

Thanks for the prompt response! I'm definitely not communicating on the same interface I'm capturing on, but the capture capability disconnect sounds like it might be in the right direction. Let me see if I can see different results if I rate-limit in different ways.

( 2018-02-08 17:42:11 +0000 )edit

This was exactly the problem, thanks!

( 2018-02-08 18:34:30 +0000 )edit