Ask Your Question

Where are IP headers in Monitor mode capture?

asked 2018-02-12 11:13:00 +0000

Vindra gravatar image

updated 2018-10-26 17:42:52 +0000

cmaynard gravatar image

Hi, I set my lone network interface of Mac_air to Promiscous and Monitor mode at the same time. I could surf Internet while network being in the above mode. But the traffic captures show most packets had the following header hierarchy: Data -> IEEE 802.11 -> 802.11 radio info -> Radiotap header -> Frame.

Where are IP and TCP headers gone?


edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-02-12 13:27:59 +0000

sindy gravatar image

They are all there but encrypted. For each client-AP "session" you want to decrypt, you need to know the passphrase and capture the four EAPOL packets. When you give this information to Wireshark in the right way, it will automatically decrypt those radio frames for which it has the necessary information and show you the IP and above layers dissected.

edit flag offensive delete link more


And see the "How to decrypt 802.11" page on the Wireshark Wiki.

Guy Harris gravatar imageGuy Harris ( 2018-02-12 18:00:43 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-02-12 11:13:00 +0000

Seen: 1,139 times

Last updated: Feb 12 '18