Ask Your Question
0

WLAN Capture only decrypting MDNS, ARP, etc

asked 2022-05-19 11:42:55 +0000

pokkunakki1832120 gravatar image

I am playing with Wireshark. I am trying to view an HTTP request to http://example.com/?q=foobar that I made from a device on my Wi-Fi network.

I inputted my SSID and WPA password to the 802.11 decryption dialog, and then I turned Wi-Fi off and on on my device so that I could capture an EAPOL packet and thus decrypt my session. Then, I navigated to http://example.com/?q=foobar.

When I use wlan.addr == AB:CD:EF:12:34:56 (my device's MAC address) as a display filter, I see a lot of packets with Protocol 802.11 and a relatively small number with ICMPv6, DHCP, ARP, MDNS, IGMPv2, and others. However, that's it. I do not see any TCP packets, let alone HTTP packets. http and tcp as display filters both return no results.

I know that I am getting the traffic from the correct device, as I see the device name buried in some of the MDNS packets.

Can someone help me find the missing HTTP packets?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-05-19 12:52:25 +0000

Bob Jones gravatar image

The likely issue is same as first part of this answer.

edit flag offensive delete link more

Comments

So how can I capture 802.11ac traffic using my MacBook? Is it not possible?

Here are my system specs:
MacBook Pro 2019, 13-inch, four Thunderbolt 3 ports (model identifier MacBookPro15,2)
16 GB RAM
2.8 GHz Quad-Core Intel Core i7

pokkunakki1832120 gravatar imagepokkunakki1832120 ( 2022-05-31 14:41:50 +0000 )edit

Is it not possible?

It depends. If you are trying to pickup 11ax traffic, then probably not. If you are trying to pick up something within the capture envelope of the Macbook, then maybe. Do you know the capabilities of the test traffic?

Are you on the right channel? Are you close enough to pick up the unicast traffic? Do you have a decryption problem, or do you have a packet capture problem? You are likely capturing in monitor mode since the wlan filter produces output. Sharing a capture file on a publicly accessible location of test traffic that can be reviewed will make it much easier to diagnose your issue.

Can you decrypt the sample files? https://wiki.wireshark.org/HowToDecry...

Bob Jones gravatar imageBob Jones ( 2022-05-31 16:46:17 +0000 )edit

I am teaching myself about network protocol analysis and how to use Wireshark, so I do not want to inadvertently publish sensitive information from my network. Any suggestions?

For now, here is a screenshot of what I am seeing. The bulk of the traffic that I see in my capture looks something like that (with the exception of the MDNS, ARP, etc. packets, as described above).

pokkunakki1832120 gravatar imagepokkunakki1832120 ( 2022-06-01 00:49:08 +0000 )edit

I understand the security concern. For sharing, you would want to either anonymize the information but in wireless decryption cases, you basically need to set up a complete separate test network that you scrap when done (i.e. don't use the SSIDs or keys anymore).

Now for the screenshot - I see CTS/RTS, some block ACK, but no unicast data frames. You don't provide much to go on, but what you do show is consistent with the linked answer: you are not picking up the highly modulated unicast data frames.

Why is this the case? There are multiple possible causes for this and they are described in that linked answer and also in comments here. Without more detailed information like a trace file, I can't really say exactly what your specific issue is. If it helps, you can share your trace privately with me; since the issue ...(more)

Bob Jones gravatar imageBob Jones ( 2022-06-01 11:08:25 +0000 )edit

How should I share the capture file with you privately, @Bob Jones ?

pokkunakki1832120 gravatar imagepokkunakki1832120 ( 2022-06-16 00:30:15 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-05-19 11:42:55 +0000

Seen: 1,234 times

Last updated: May 19 '22