Wireshark can't pick up EAPOL packets from my adapter

asked 2020-10-18 13:41:05 +0000

After starting wireshark I go to the capture options, make sure that promiscuous mode is enabled and start capturing from the WiFi adapter. I also make sure I have the password entered in the decryption keys menu. I can only see packets either directed at my device or broadcasted. After restarting the device I want to sniff, and filtering the packets with eapol, I get 0 results. What could be the reason? Do I need any additional setup?

Hardware and software:
Wireshark 3.2.7
Linux Manjaro 5.9
WiFi adapter TP-Link TL-WN772N with a AR9271 chipset, driver ath9k_htc

edit retag flag offensive close merge delete

Comments

Have you looked into the difference between promiscuous mode and monitor mode?

Jaap gravatar imageJaap ( 2020-10-18 16:16:05 +0000 )edit

From what I understood, monitor mode didn't try to fake an ethernet but instead fed wireshark the 802.11 frames with metadata like signal strength

adamski234 gravatar imageadamski234 ( 2020-10-18 16:43:24 +0000 )edit

In order to see the EAPOL handshake between a device and your access point, you have to get the device to start an EAPOL handshake, as per the "Gotchas" section of the Wireshark Wiki's "How to Decrypt 802.11" page. This will probably require that you make other devices on your network deassociate from your network and then reassociate, e.g. by putting them to sleep and waking them up again.

Guy Harris gravatar imageGuy Harris ( 2020-10-18 20:05:41 +0000 )edit

From what I understood, monitor mode didn't try to fake an ethernet but instead fed wireshark the 802.11 frames with metadata like signal strength

And, on Wi-Fi networks, unlike promiscuous mode it captures traffic to and from machines other than the machine doing the capture. (I.e., promiscuous mode usually doesn't work on Wi-Fi.)

Guy Harris gravatar imageGuy Harris ( 2020-10-18 20:07:26 +0000 )edit