Wireshark missing TCP frames the airodump captures

asked 2021-03-05 15:19:41 +0000

rsawler gravatar image

updated 2021-03-05 15:23:48 +0000

Hello, I am trying to use Wireshark as a 3rd party device to capture TCP packets between two other devices. These two devices are communicating on an OPEN protocol wifi network. I am running Kali Linux with a TP-LINK usb network adapter. I am using the Aircrack rtl8812au drivers installed from this Github repository. https://github.com/aircrack-ng/rtl8812au

I have configured my wireless network to monitor mode

wlan0     unassociated  ESSID:""  Nickname:"<[email protected]>"
      Mode:Monitor  Frequency=2.452 GHz  Access Point: Not-Associated   
      Sensitivity:0/0  
      Retry:off   RTS thr:off   Fragment thr:off
      Encryption key:off
      Power Management:off
      Link Quality=0/100  Signal level=0 dBm  Noise level=0 dBm
      Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
      Tx excessive retries:0  Invalid misc:0   Missed beacon:0

I then used airodump-ng to capture packets on this interface filtered by channel and BSSID. Opening the .cap file generated by airodump in wireshark I am able see some of the TCP traffic between the two devices. This verifies that my hardware setup will indeed let me capture TCP traffic between the devices in monitor mode.

My issue is when I try to do the capture in wireshark on the wlan0 interface I only see 802.11 protocol packets such as 802.11 Block Ack, Clear-to-send, Request-to-send, etc... but I don't see any of the TCP data packets.

Is there specific configuration in wireshark I need to do to capture these TCP frames?

edit retag flag offensive close merge delete

Comments

If airodump can see them, Wireshark should too. Add some better display filtering - filter by MAC addresses to reduce the noise in the capture and keep looking; there are ways to make this break but really know way to tell with this limited information. You could have disabled LLC or tcp dissectors, or set a capture filter, or be on the wrong channel, or...

You should be able to run airodump and wireshark at the same time; I would expect that the same frames then be available to both tools.

Bob Jones gravatar imageBob Jones ( 2021-03-05 17:44:14 +0000 )edit