Ask Your Question
0

Wireshark shows only 802.11 packets

asked 2023-12-21 07:05:14 +0000

livingbeing gravatar image

updated 2023-12-22 03:45:24 +0000

First things first. My setup:

Host:

  • Operating system: Windows 10
  • Virtualization software: VirtualBox 7.0

Guest:

  • Operating system: Ubuntu 22.04
  • Kernel: 6.2.0-39-generic

USB WiFi adapter:

Description of the issue:

Screenshot of a capture: https://imgur.com/a/F2Itmfu

My Ubuntu guest system has the USB network adapter enabled and running in monitor mode. From the guest system I'm trying to sniff the HTTP traffic of my own WiFi network, to which my TV, my smartphone and my host laptop are connected. However, I'm only getting packets labeled as 802.11 in the "Protocol" column. Browsing Web pages on any of the mentioned devices has apparently no effect on the output.

Notes:

  • The network adapter supports monitor mode in Linux. I enabled it from the terminal, having previously killed all network processes that could interfere with the interface.
  • Promiscuous mode is enabled in Wireshark for all interfaces, including the one corresponding to my USB adapter.
  • The host machine that I'm using to create HTTP traffic (and its attached USB adapter) is only three meters away from the router.
  • The capture should be decrypted, since I set my network's ESSID and password in Wireshark as decryption keys (both in wpa-pwd and wpa-psk formats).

Maybe not related, but worth mentioning:

  • My connection is associated to channel 11, but Wireshark only allows me to capture on channel 1. Whenever I choose a different option in the dropdown from Wireless Toolbar, it immediately switches back to 1.
  • Handshakes are generally not detected, no matter how many times I disconnect and reconnect.
  • After some time capturing traffic, a red dot appears at the bottom left corner of the Wireshark window. When clicked, its description reads: "Remaining data does not include the tag length".

Question:

I've read dozens of topics describing this issue but found no definitive answer. So far, the most convincing explanation was this: https://ask.wireshark.org/question/20865/80211-only-partially-decrypted/. Apparently, the network's modulation is too high for my adapter. May this be the case? If so, is it something I could solve by buying a more expensive WiFi adapter? If not, can you provide me another clue?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-12-21 11:19:59 +0000

Bob Jones gravatar image

The github site for your driver says this:

 Recommendation: Do not buy adapters based on this chipset. You will be disappointed. Adapters with the new mt7921au chipset will meet or exceed the performance of this chipset in WiFi 5 AC 5 GHz mode plus you get WiFi 6e capability.

Some comments:

My connection is associated to channel 11, but Wireshark only allows me to capture on channel 1. Whenever I choose a different option in the dropdown from Wireless Toolbar, it immediately switches back to 1.

This is a showstopper! If you can't capture on the channel you are interested in then you will never get the traffic you are looking for. This is a system issue, not Wireshark, and is common. The wireless toolbar is deprecated and has been removed on most platforms as far as I can tell; Linux packaging systems tend to have older versions of Wireshark so it might still be around. Anyway, it probably still works if present except for the likely underlying cause: you have interfering processes taking control of the adapter. I know you said you killed interfering processes, but I would guess you didn't get them all. NetworkManager is the most common culprit - you can tell nm to ignore this interface. To work around this until you figure it out, move your AP to channel 1.

Handshakes are generally not detected, no matter how many times I disconnect and reconnect.

Consistent with capturing on the wrong channel. This could have other root causes, too, but you have to fix the most basic one first.

To summarize, I would suggest:

  1. Figure out how to get a stable channel selected
  2. Obtain a better adapter based on MediaTek USB chipset
  3. Consider capturing on a dedicated platform (even a raspberry pi or similar) rather than try and pass thru to a VM
  4. Work on iw and related commands to put adapter in monitor mode and adjust settings manually, if needed to get better feedback as to issues

Here is a recent discussion similar to this with an RTL chipset where the issue is isolated to the capture device.

edit flag offensive delete link more

Comments

Thank you so much for your detailed answer. I set my network to a fixed channel (1) and made NetworkManager ignore the USB WiFi interface. Then I killed all network processes and set the interface to monitor mode by using the iw command. The result is almost the same: https://imgur.com/a/fIeK7xR. The only difference is that now a few HTTP packets are indeed captured, but none of them is related to the web pages (both HTTP and HTTPS) I visited. I think I'll give a try to running Ubuntu from a USB drive (to remove the VM layer) and see if I get any HTTP packets from my smartphone's traffic. However, I don't think it's going to work, since I already tried that approach with a TP-Link Archer T3U AC1300 (chipset RTL8812BU) and stumbled upon the same issue. So I think I'll ...(more)

livingbeing gravatar imagelivingbeing ( 2023-12-22 03:17:10 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-12-21 07:05:14 +0000

Seen: 630 times

Last updated: Dec 22 '23