Ask Your Question
0

Only one SSID in Monitor Mode

asked 2021-11-13 07:10:20 +0000

CrimpOn gravatar image

My attempt to capture WiFi management frames on my mesh WiFi network continues. One router and two satellites with both primary and Guest networks. A total of 6 WiFi access points (2.4G and 5G on three units) broadcasting two SSID' on each (primary and Guest). Was expecting to capture about 5-10 beacon frames for each SSID, for each channel, and for each access point. A total of between 150 and 300 beacon frames per minute.

Wlanhelper on Windows 10 was not able to set the 5G WiFi adapter to monitor mode and the channel to 48, so I switched to Mint Linux 20.2 (based on Ubuntu), using two Panda PAU09 USB adapters. (I have posted in the Npcap forum and will be happy to give this a try again on Windows is someone on that forum has a suggestion.)

Am able to collect management frames from all six WiFi access points, but observe that there are beacon frames for only the primary SSID. Beacon frames for the guest SSID are not captured. The guest SSID is active. I can connect to it and get internet. Guest WiFi must be transmitting beacon frames.

My goal is to observe what happens to the mesh system when the router is rebooted or the entire system reboots (such as after a power failure). Surely I am not the first person to capture WiFi management frames with Wireshark. If someone could provide a hint, it would be really helpful.

edit retag flag offensive close merge delete

Comments

There are multiple things that could be wrong but since there is no trace provided to review, we really can’t rule any of them out.

You may be using filters that are incorrect, or perhaps you have multi bssid enabled (https://www.intuitibits.com/2021/08/2...).

Bob Jones gravatar imageBob Jones ( 2021-11-13 16:43:28 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2021-11-13 21:16:23 +0000

CrimpOn gravatar image

Totally correct. Further examination shows that each access point is using different MAC addresses for the primary and guest WiFi channels. Amazing that you went straight to it.

In order to filter out misc. 'stuff', I have a capture filter defined which has now grown to include 12 MAC addresses. Is Wireshark able to have different capture filters on each WiFi adapter?

And thank you again for responding.

edit flag offensive delete link more

Comments

Check the -f option on the Wireshark man page or The “Capture Options” Dialog Box in the Gui.

Chuckc gravatar imageChuckc ( 2021-11-13 23:48:01 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-11-13 07:10:20 +0000

Seen: 579 times

Last updated: Nov 13 '21