Ask Your Question
0

Can't capture data packets from unencrypted Wifi network in monitor mode

asked 2020-11-10 03:31:46 +0000

dddddddd207 gravatar image

I can't capture data packets from an unencrypted Wifi network while in monitor mode.

I have my phone set up as a unencrypted 2.4GHz hotspot, and my laptop's built-in adapter connected to it. I'm running Fedora 33 kernel 5.8, and iw dev says that it's on channel 11. I have a USB WIFI adapter plugged into my laptop in monitor mode (as confirmed by iw dev) and tuned to channel 11. I can see lots of management packets from both my hotspot and nearby Wifi APs, but I can see very few packets that are anything but Wifi, and most of those are ICMP or ARP. Although, I'm pinging 8.8.8.8 successfully the whole time and don't see that in the trace at all. I can't see any actual data packets like HTTP requests at all.

I've set monitor mode with iw $IFACE set monitor control, and I can't select the monitor mode checkbox in Wireshark on this interface: it unchecks itself immediately if I try. (Also if I try to check the monitor mode checkbox on my built-in adapter Wireshark segfaults and I drop a few packets from my ping.)

I can't find any relevant information about this: searching for these symptoms returns results for either Windows (I'm on Linux) or for encrypted networks, and I'm on an unencrypted network explicitly to rule that out. Any ideas?

Example trace. Note that my laptop's adapter's MAC is b4:ae:2b:d5:86:a2, my USB Wifi card's is fe:70:8e:b4:16:a0, and my phone's is 94:65:2d:2c:aa:79.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-11-10 12:05:21 +0000

Bob Jones gravatar image

I am able to pickup some data frames with this filter:

wlan.addr == 94:65:2d:2c:aa:79 and wlan.fc.type_subtype in {0x20 0x28}

I note that the signal is really hot - you might want to move your capture interface away from the two communicating interfaces. If capturing and communicating on the same system, this will obviously be difficult (so capture on a different platform that can be moved).

edit flag offensive delete link more

Comments

@bob-jones what is "really hot" (in case someone comes across this in the future)

Chuckc gravatar imageChuckc ( 2020-11-10 18:22:42 +0000 )edit

Signal strength is very high.

Bob Jones gravatar imageBob Jones ( 2020-11-10 18:39:10 +0000 )edit

Hm, this might be the issue. I haven't been able to test this reliably but from plugging the USB adapter in to my desktop and walking down the hall with my laptop it does seem that I can, ironically, receive better with a weaker signal. It's still very inconsistent, but I'm going to try a better testing method tomorrow.

dddddddd207 gravatar imagedddddddd207 ( 2020-11-11 04:05:22 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-11-10 03:31:46 +0000

Seen: 831 times

Last updated: Nov 10 '20