Ask Your Question
0

No Data Packets in Monitor Mode Capture

asked 2020-08-26 23:49:32 +0000

Struedel gravatar image

updated 2020-08-28 13:43:14 +0000

I've seen this question a few times before but none of the posted solutions solved my issue. I can see Probes, Beacons, Acknowledgements, Request-to-sends, Clear-to-sends, and null data frames but not any non-null data.

I am running Wireshark on Kali Linux attempting to sniff wireless traffic. I have the following set up:

Capture Device:

Kali Linux LiveBoot USB

OS: Kali 2020.3 - SMP Debian 5.5.17-1 kali1 (2020-04-21) x86_64

NIC: Panda PAU09-RaLink RT5572 - Driver: rt2800usb as wlan0

Wireshark 3.2.3

AP - Raspberry Pi 4 running Raspbian

I configured HostAPD to use my Raspberry Pi as an access point. It is set to run 802.11g with no security. The set up on my sniffing system has been:

ifconfig wlan0 down
iwconfig wlan0 mode Monitor
ifconfig wlan0 up

Start wireshark, check the monitor mode checkbox, restart wireshark, and then begin capture. On the client Pi I am connected to the AP and running a script that periodically curls the Apache server on the AP.

Debugging done so far:

  • Use Ubuntu VM instead of Kali Liveboot
  • Create wlan0mon interface with airmon-ng and listen on that instead (using sudo airmon-ng start to create the virtual interface wlan0mon and used that as my listening interface in Wireshark)
  • Connect to AP after putting device into Monitor mode (which I think just switched the interface to Managed as I was then only able to see my traffic)
  • Tried different target devices (Iphone, Windows 10 Desktop)
  • Adjusted channel settings through Wireshark's wireless toolbar to match the channel my AP is broadcasting on (7)
  • Tried different AP (my home router rather than one I configured myself) and done basic web browsing

Any help or ideas would be greatly appreciated, I am not sure why this isn't working.

edit retag flag offensive close merge delete

Comments

I also have this problem but in using MacOS Catalina. I was trying on capturing WiFi packets on MacOS Catalina but unfortunately there is No showing captured packets. I had follow the recommended guide in installing Wireshark in macOS Catalina and install alone with the “Install ChmodBPF” from the link (https://www.wireshark.org/docs/wsug_h...) but it is not working. I compare it with my Windows OS machine with the same configuration and it work on capturing live WiFi packets.

What would be I have to do to make it work? Any help is really appreciated with this matter.

Thanks,

brunmart gravatar imagebrunmart ( 2020-08-28 18:57:19 +0000 )edit

Search on Catalina and several similar questions/answers are available. No good answers.
This one is probably the most recent.

Chuckc gravatar imageChuckc ( 2020-08-28 19:34:57 +0000 )edit

In macOS Mojave and later (the problem predates Catalina), at least some Wi-Fi adapters on newer machines cannot capture if they're associated to a Wi-Fi network, so you have to disconnect from the network if you want to capture in monitor mode. I don't know whether this is a hardware problem or a driver problem (driver design decision?).

The Linux problem discussed here my not be related.

Guy Harris gravatar imageGuy Harris ( 2020-08-28 21:10:08 +0000 )edit

Yes, you are right that you need to disconnect from the network to be able to sniff the packets. There is Network Diagnostic app in MacOS catalina that gives you .pcap file and can open with wireshark. But comparing to Windows machine, live capture in wireshark gives i think better infos. But until now still looking for solution regarding this matter. Thanks for the response guy.

brunmart gravatar imagebrunmart ( 2020-08-29 18:11:28 +0000 )edit

I have this exact problem. Environment is Kali, just installed 2 days ago and updated. I have mesh routers and a Second wifi router, I have searched, and, well, I stop the network connection, or boot with no connection. I use airmon-ng start wlan0 to start monitor mode. I am sudoed to root to run wireshark. I start capturing on wlan0mon, the monitor mode interface created by airmon-ng.

All I see are beacons and sometimes broadcasts. I have tried connecting to my non-mesh router, have double checked the channel, I see the beacons from that router, I put another device on the same wifi, start pinging, and all I see are the beacons and some spanning tree stuff.

I don't see the arp stuff, I don't see the pings. I tried actually connecting to this interface and I get through without an issue, 67% signal strength so it ...(more)

Shellhopper gravatar imageShellhopper ( 2020-11-01 07:26:48 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2020-08-28 19:23:47 +0000

Bob Jones gravatar image

A sample trace file of what you are seeing would be a big help. For example, it can be used to quickly rule out many basic things that may or may not be an issue - but no way to know for sure without looking.

Otherwise, can only provide general guidance as there are many things that could be affecting this - for example, looking for Data frames when QoS Data frames are in use; sniffing on the wrong channel; too far away; trying to capture with a USB adapter inside a VM; using the adapter at the same time in both managed and monitor mode; trying to capture high data-rate frames with a less-capable adapter; the list goes on.

edit flag offensive delete link more
0

answered 2020-08-27 02:29:04 +0000

Guy Harris gravatar image

Have you tried turning monitor mode on using the shiny new mac80211 way? See the Linux section of the "monitor mode capture" page in the Wireshark Wiki; search for the part that starts with

The easiest way to turn manually turn monitor mode on or off for an interface is with the airmon-ng script in aircrack-ng; your distribution may already have a package for aircrack-ng.

and then describes command sequences to use with airmon-ng and to use if you don't have airmon-ng.

edit flag offensive delete link more

Comments

I have already tried this. I used sudo airmon-ng start wlan0 which then created wlan0mon that I then used as my listening interface in Wireshark. I should have been more clear but that was what I meant in my debugging step #2

Struedel gravatar imageStruedel ( 2020-08-28 13:38:24 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-08-26 23:49:32 +0000

Seen: 7,717 times

Last updated: Nov 01 '20