Ask Your Question
0

Cannot capture non-local packets on MacOS

asked 2022-05-01 23:41:47 +0000

pokkunakki1832120 gravatar image

I'm trying to use WireShark to capture packets. When I run a capture on en0 (my Wi-Fi interface), though, all I see is packets directed to or coming from my IP addresses (broadcast packets also show up).

How do I capture TCP/IP packets that are directed to other devices on my Wi-Fi network?

Here are the specs for my device:

  • MacBook Pro 2019, 13-inch, four Thunderbolt 3 ports (model identifier MacBookPro15,2)
  • 16 GB RAM
  • 2.8 GHz Quad-Core Intel Core i7
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-05-02 03:41:20 +0000

grahamb gravatar image

You're likely not capturing in monitor mode, see the wiki page on WiFi Capture Setup.

edit flag offensive delete link more

Comments

Following the instructions on that Wiki allows me to capture radio packets, but I am interested in TCP/IP traffic.

For instance, if my iPhone and laptop are on the same network and I go to http://example.com/foobar on my iPhone, I want to see GET /foobar HTTP/1.1 etc. in Wireshark.

pokkunakki1832120 gravatar imagepokkunakki1832120 ( 2022-05-02 11:10:45 +0000 )edit

As per the info, to capture traffic between devices other than the capturing PC, you need to run monitor mode and then you'll also likely need to decrypt the WiFi traffic.

grahamb gravatar imagegrahamb ( 2022-05-02 11:25:49 +0000 )edit

@grahamb I'm still not clear on how to capture that traffic. When I run monitor mode, all I see is 802.11 packets, and I don't know how to go about interpreting those.
For example, if my Wi-Fi network SSID is myWirelessNetwork, the password is password123 (the security is WPA2 Personal), and the MAC address of the router/BSSID is ab:cd:ef:12:34:56, how can I see the TCP packets being sent over the network?

pokkunakki1832120 gravatar imagepokkunakki1832120 ( 2022-05-06 01:21:12 +0000 )edit

Assuming you've captured the required info, you'll need to setup the decryption keys. There is a Wiki page on 802.11 Decryption.

Can you share your capture by uploading it to a public share, or at least display an image of the first 802.11 packet to check that you're capturing the correct thing?

grahamb gravatar imagegrahamb ( 2022-05-18 21:37:13 +0000 )edit

I figured out how to set up the decryption keys. Now, I am having this problem.

pokkunakki1832120 gravatar imagepokkunakki1832120 ( 2022-05-31 14:43:49 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2022-05-01 23:41:47 +0000

Seen: 1,715 times

Last updated: May 02 '22