Ask Your Question
0

Why can I only capture broadcast traffic?

asked 2025-02-13 21:37:43 +0000

Griswold gravatar image

MAC Studio running the latest Sequoia 15.3.1. Zyxel 3301-T0 Router 2.4Ghz Wi-Fi Segment with 10 devices including the MAC.

Running WireShark 4.4.3 with neither, either or both promiscuous and monitor mode boxes ticked I can only see and capture broadcast traffic and traffic directly to/from my MAC.

But if I use the MAC's inbuilt Sniffer I can see and capture traffic between all devices, though some items such as PING don't seem to record using Sniffer. Also, the built in Sniffer doesn't allow me to record only traffic to/from a specific device - which is what I need to do.

I also notice that when using the built in Sniffer the Wireless Icon on the MAC changes to an eye, (indicating monitor mode?), but when I use Wireshark with. the monitor mode box ticked the Wireless Icon doesn't change from it's original.

Have read the WiFi Setup article but that offers no solution I'm afraid.

Can anyone offer a solution?

Many thanks in advance.

Peter

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-02-14 03:06:23 +0000

Guy Harris gravatar image

Running WireShark 4.4.3 with neither, either or both promiscuous and monitor mode boxes ticked I can only see and capture broadcast traffic and traffic directly to/from my MAC.

You can see traffic in monitor mode? That's a surprise, as newer versions of macOS and newer Macs appear not to capture any traffic in monitor mode, except under certain circumstances, such as...

But if I use the MAC's inbuilt Sniffer I can see and capture traffic between all devices,

...capturing with the Sniffer, which I assume here is the one in Wi-Fi Diagnostics.

The program doing the sniffing in that case is called "tcpdump", and it's run with the -I flag, which makes the exact same libpcap calls that Wireshark does to capture in monitor mode.

The difference is that Wi-Fi diagnostics does... something to allow monitor mode to work. My suspicion is that it disconnects from your Wi-Fi network in a fashion that allows traffic capture, but nobody I know of has managed to figure out what that is.

At least at one point, I do remember that, if you run Wireshark while the Wi-Fi Diagnostics Sniffer is running, Wireshark can capture traffic in monitor mode Just Fine.

Unfortunately, using dapptrace may require that I turn system Secret API^W^Wintegrity protection off, so it may be a bit hard to figure out what the secret is.

edit flag offensive delete link more

Comments

Hi, and many thanks for your reply.

Re running WireShark in Monitor Mode. This certainly worked for broadcast traffic before I did the MAC OS Update yesterday, but today when I try I now get the message "Unable to set data link type on interface 'en1' (EN10MB is not one of the DLTs supported by this device). Also yesterday I uninstalled WireShark then downloaded and installed the latest version, (sorry, can't remember what my previous version was).

I just tried running WireShark with diagnostic's Sniffer running but Wireshark sees and records nothing while Sniffer is running and Sniffer definitely disconnects the MAC from the WiFi.

Best Regards

Peter

Griswold gravatar imageGriswold ( 2025-02-14 10:51:02 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-02-13 21:37:43 +0000

Seen: 55 times

Last updated: Feb 14

Related questions

How to capture ethernet traffic?

Why am I not seeing unique traffic

Am I able to use wireshark to observe large (10G) traffic congestion?

How can I extract parameters from pcap

How to identify the facebook traffic in wireshark?

Filtering out normal traffic

Is this source malicious?

How to capture clear text traffic from devices that arent my computer

How can I see the traffic of an Android APP?

Can i capture traffic from IP camera on my network ?