Cannot capture or decrypt some protocols in monitor mode with wireshark

2022-01-02

ck07

First off I put my network adapter into monitor mode and captured a handshake. From edit>preferences>protocols>IEEE 802.11, I added my decryption keys properly and started sniffing the traffic. The problem is that I can decrypt ARP and some UDP traffic along with some other protocols I'm not familiar with. But I dont see any DNS, HTTP or TCP packets when I apply the necessary filters. I googled around a bit on that and found that it might be possible that I'm not even able to capture TCP and DNS packets at all.

The problem is either I cant decrypt the tcp packets (which I dont think is the case since I can decrypt other protocols), or I cant even receive any tcp traffic. Does anyone have an idea as to how to solve this issue. If it's that I cant even capture these packets, how can I fix it? Thank you in advance.

2022-01-02

Bob Jones

Likely you are able to capture and decrypt low modulation frames, such as group traffic, I.e. multicast and broadcast, from the AP. However, highly modulated unicast traffic with high data rates, you are missing. Proximity to test traffic can have an impact, too.

Solution is either to get a capture system that can pick up all the traffic or reduce the capability of the WiFi system so that the capture system can pick it up.

Thank you so much. That explains it really well. I guess I need to buy another card that supports 802.11ac right?

ck07 ( 2022-01-03 )

Likely, yes.

Bob Jones ( 2022-01-03 )

2022-01-02

