Ask Your Question
0

Cannot capture or decrypt some protocols in monitor mode with wireshark

asked 2022-01-02 22:58:11 +0000

ck07 gravatar image

First off I put my network adapter into monitor mode and captured a handshake. From edit>preferences>protocols>IEEE 802.11, I added my decryption keys properly and started sniffing the traffic. The problem is that I can decrypt ARP and some UDP traffic along with some other protocols I'm not familiar with. But I dont see any DNS, HTTP or TCP packets when I apply the necessary filters. I googled around a bit on that and found that it might be possible that I'm not even able to capture TCP and DNS packets at all.

The problem is either I cant decrypt the tcp packets (which I dont think is the case since I can decrypt other protocols), or I cant even receive any tcp traffic. Does anyone have an idea as to how to solve this issue. If it's that I cant even capture these packets, how can I fix it? Thank you in advance.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2022-01-02 23:17:38 +0000

Bob Jones gravatar image

Likely you are able to capture and decrypt low modulation frames, such as group traffic, I.e. multicast and broadcast, from the AP. However, highly modulated unicast traffic with high data rates, you are missing. Proximity to test traffic can have an impact, too.

Solution is either to get a capture system that can pick up all the traffic or reduce the capability of the WiFi system so that the capture system can pick it up.

There are many examples of this on this site, for example, see

https://ask.wireshark.org/question/20865/80211-only-partially-decrypted/#20876

edit flag offensive delete link more

Comments

Thank you so much. That explains it really well. I guess I need to buy another card that supports 802.11ac right?

ck07 gravatar imageck07 ( 2022-01-03 00:25:40 +0000 )edit

Likely, yes.

Bob Jones gravatar imageBob Jones ( 2022-01-03 00:38:41 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-01-02 22:58:11 +0000

Seen: 817 times

Last updated: Jan 02 '22

Related questions

In a WiFi capture log, why the 11ac “beamformed” bit is shown as both “true” and “false” in wireshark version 2.4.2 (v2.4.2-0-gb6c63ae086)?

cannot find "Compare two capture files"

Is it possible to test a capture filter with already captured traffic?

aix iptrace capture filters

How would I map this display filter to a capture filter?

No HTTP protocols in scan results

Can't capture TLS certificate

Can I create a capture filter on a pcap file

Wireshark capture with ET2000

Tshark conversation view output modification

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2