Ask Your Question
0

problem getting traffic on wifi network between smartphone and printer on a Mac- monitor mode problem

asked 2021-02-15 22:23:49 +0000

Katerina gravatar image

I am trying to use Wireshark to capture traffic on a wifi between my smartphone and a wireless printer. It has worked fine (but with difficult) on an older MacBook Air I was using. However, when I install the latest Wireshark 3.4.3 on my new MacBook Air running Big Sur, the en0 set with promiscuous mode and monitor mode checked, I see nothing. unchecking the monitor mode shows my MacBook communicating with the wifi. checking monitor mode gives me no packets. if I manually airport -z and then airport a specific channel (or run wireless diagnostics and put the sniffer on that specific channel), I see the packets of the smartphone but that's it. nothing coming back to the smartphone from the printer. also the packets are all wifi, whereas in the past, I was able to see IPP and other type of packets. I am wondering what I am doing wrong. please help. thanks much in advance.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-02-17 05:02:43 +0000

Guy Harris gravatar image

my new MacBook Air

There's your problem.

the en0 set with promiscuous mode and monitor mode checked, I see nothing.

Newer MacBook models apparently have AirPort adapters that can't run in monitor mode when they're associated with a network; Apple apparently "helpfully" "protect" users from disconnecting from their network by having monitor mode, when selected the normal way, capture any traffic. The sniffer in Wireless Diagnostics disconnects from all networks and then fires up tcpdump with the -I flag, so that it puts the adapter in monitor mode.

unchecking the monitor mode shows my MacBook communicating with the wifi.

That's just getting packets to and from the adapter; as it's not in monitor mode, that's all you'll see.

(And you won't get 802.11 headers or radio information, you'll get fake Ethernet headers; the only way to get 802.11 headers and radio information is to capture in monitor mode.)

if I manually airport -z and then airport a specific channel (or run wireless diagnostics and put the sniffer on that specific channel), I see the packets of the smartphone but that's it. nothing coming back to the smartphone from the printer.

That's odd. You probably have an access point on your network, with all network traffic going through the access point, in which case the packets would go from the smartphone to the access point and the access point sends them to the printer, or they would go from the printer to the access point and the access point sends them to the smartphone.

(I captured in monitor mode on my recent MacBook Pro (which has the same issue), and had another Mac ping my iPhone, and the capture appears to show both the ping going from the Mac to the access point and the same ping going from the access point to the phone (I didn't set up the capture to have the initial "EAPOL handshakes" for the Mac and the iPhone, so I couldn't get Wireshark to decrypt them). So you would probably see both of those packets.)

If your access point is using multiple channels, and the phone is using one channel and the printer is using another channel, and you're capturing on the first channel, you wouldn't see traffic between the access point and the printer. However, you should see traffic between the access point and the phone - including the replies from the printer being sent from the access point.

How are you determining whether the traffic involves the smartphone or the printer? If you're looking at MAC addresses, check the destination and source addresses; a packet that was sent from the printer to the access point, intended to go to the smartphone, will have the printer's MAC address as the source and transmitter address, will have the phone's MAC address as the destination address, and will have the access point's MAC address as the receiver ... (more)

edit flag offensive delete link more

Comments

not getting any EAPOL if I filter for it. I see the channel only traffic indeed, just the phone to the router and not to the printer or vice versa. I need to capture IPP packets, nothing of the sort is showing. I do have the decryption key in there as well. but I don't see anything in terms of IPP coming back to the phone. what if I could manually force the printer to be in the same channel as the phone?

Katerina gravatar imageKaterina ( 2021-02-17 13:21:06 +0000 )edit

if I booted linux on the machine, would I be having the same issues with the wireless monitoring mode as it would be the same card or are the problems just in the OS? what do you think?

Katerina gravatar imageKaterina ( 2021-02-17 13:22:59 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-02-15 22:23:49 +0000

Seen: 1,560 times

Last updated: Feb 17 '21