Ask Your Question
0

wifi capture problem

asked 2022-03-26 02:49:14 +0000

Exiter gravatar image

updated 2022-03-27 00:20:20 +0000

EDIT: traces attached here, two files, 450kb and 3.7mb. Thanks!

https://www.sendspace.com/filegroup/1...

Hi,

Total newbie. I've never seen a wifi packet capture before. lol

I got an Alfa AWUS036AC (RTL8812AU) to learn wifi packet capture for my home Wlan. I'm losing my mind trying to figure out what I did wrong!

I setup a test bed on a table (so no signal issues) with an android tablet, tp-link AP 2.5g+5g and Kali v2022.1 pre-built VMware. I'm a linux newbie, but forced into it because windows can't put the Alfa into monitor mode.

I want to attach two traces, but it won't let me, says I need 60 points. Is there another way to upload traces?

AP:

  • 2.4g SSID test2, wpa2/testtest, ch11, 20mhz
  • 5g SSID test5, wpa2/testtest, ch149, 80mhz

MAC:

  • 2.4g AP - 14:CC:20:D5:07:FA, Tablet - 26:14:77:CF:CF:CC
  • 5g AP - 14:CC:20:D5:07:F9, Tablet - AC:6C:90:5D:3A:87

Kali standard realtek-rtl88xxau-dkms driver installed fine.

2.4g test:

  • airmon-ng check kill
  • iw dev wlan0 set type monitor
  • iw dev wlan0 set channel 11 20MHz
  • iwconfig (showed monitor mode and freq 2.462)
  • started Wireshark with wpa-pwd testtest:test2

2.4g problem

  • sometimes it takes a few tries to get the entire seires of 4 EAPOL packets
  • after that, it decrpts fine, I apply IP display filter
  • on the tablet, the web pages loaded fine
  • BUT, wireshark is flagging a lot of tcp errors
  • tcp out of order, tcp previous segment not captured, tcp acked unseen segment
  • > it looks like the adapter is missing packets and/or recieving them out of order???

5g test:

  • airmon-ng check kill
  • iw dev wlan0 set type monitor
  • iw dev wlan0 set channel 149 80MHz
  • iwconfig (showed monitor mode and freq 5.745)
  • started Wireshark with wpa-pwd testtest:test5

5g problem

  • same EAPOL problem as 2.4g
  • decryption seems fine
  • BUT I can only see broadcast and multicast IP packets
  • > where are my unicast https web browser data packets???

Help, this Alfa is supposed to work. I banged my head against the wall for 5 days, can't figure it out.

Thanks in advance!

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2022-03-27 00:22:24 +0000

Exiter gravatar image

Thanks a lot for the advice. I have uploaded the traces to sendspace.com.

edit flag offensive delete link more
0

answered 2022-03-26 16:02:13 +0000

Bob Jones gravatar image

What you describe all sounds typical for 802.11 packet capture - it can be difficult. A couple of points:

  1. Much of what you describe is analyzed here as well
  2. Passing wireless adapters into VMs can be problematic so I find it best to run native, i.e. wireless adapter running directly on the PC running Linux
  3. To share pcap files, upload them to a publicly accessible location and add a link here. Make sure they are world-readable or no one will be able to access them for review.
  4. Use monitor mode capture to analyze wifi-specific behavior; when possible, move to wired captures to analyze anything from layer3 and above. In summary, use wifi captures when you have to, not because you can.

Your questions:

sometimes it takes a few tries to get the entire seires of 4 EAPOL packets

Not unheard off. Packet loss is an issue that wireless networks have to deal with, so missing EAPOL frames would be a symptom of that. Give yourself the best chance: make sure the signal strength is solid, but not too high (say -30 to -65), there is minimal interference, both RF and wifi on the channel you are on, and that you don't have a lot of multipath going on (don't line your room with metal...)

BUT, wireshark is flagging a lot of tcp errors
tcp out of order, tcp previous segment not captured, tcp acked unseen segment
> it looks like the adapter is missing packets and/or recieving them out of order???

Not surprising; due to loss at the RF layer, Wireshark can struggle to manage TCP connection analysis. 802.11 retries and TCP retransmissions are not the same thing, but Wireshark does not really treat them any different. So the results are confounded - to analyze TCP traffic, grab it at the other side of the AP so some of this noise will be removed.

BUT I can only see broadcast and multicast IP packets
> where are my unicast https web browser data packets??

See the link in point 1 - this is most likely the same problem: capture envelope is not large enough for the test traffic under review.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-03-26 02:49:14 +0000

Seen: 1,035 times

Last updated: Mar 27 '22