Wireshark missing TCP frames the airodump captures
Hello, I am trying to use Wireshark as a 3rd party device to capture TCP packets between two other devices. These two devices are communicating on an OPEN protocol wifi network. I am running Kali Linux with a TP-LINK usb network adapter. I am using the Aircrack rtl8812au drivers installed from this Github repository. https://github.com/aircrack-ng/rtl8812au
I have configured my wireless network to monitor mode
wlan0 unassociated ESSID:"" Nickname:"<WIFI@REALTEK>"
Mode:Monitor Frequency=2.452 GHz Access Point: Not-Associated
Sensitivity:0/0
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/100 Signal level=0 dBm Noise level=0 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
I then used airodump-ng to capture packets on this interface filtered by channel and BSSID. Opening the .cap file generated by airodump in wireshark I am able see some of the TCP traffic between the two devices. This verifies that my hardware setup will indeed let me capture TCP traffic between the devices in monitor mode.
My issue is when I try to do the capture in wireshark on the wlan0 interface I only see 802.11 protocol packets such as 802.11 Block Ack, Clear-to-send, Request-to-send, etc... but I don't see any of the TCP data packets.
Is there specific configuration in wireshark I need to do to capture these TCP frames?
If airodump can see them, Wireshark should too. Add some better display filtering - filter by MAC addresses to reduce the noise in the capture and keep looking; there are ways to make this break but really know way to tell with this limited information. You could have disabled LLC or tcp dissectors, or set a capture filter, or be on the wrong channel, or...
You should be able to run airodump and wireshark at the same time; I would expect that the same frames then be available to both tools.