Wireshark & Tcpdump not working.

asked 2025-03-24 18:52:00 +0000

va3ham
1 ●1

Hello, first let me say thank you for all those that can help with this issue. I am hoping to solve this issue, for schooling.

So, I am using a Alfa adapter with a Atheros Chipset. and Ubuntu Linux. I have changed to monitor mode with airmon-ng, & attempted in Wireshark and Tcpdump & Snort, a IDPS. Nothing has worked, and in the past when I was younger, I remember there was no problem at all. This issue is on the internet / other forums, and I haven't seen a solution that works.

I am using my home network, and have even gone in to the router and shut off security settings.

Thanks again, for help.

edit retag flag offensive close merge delete

Comments

What does not working mean, exactly? Can't see any traffic? Can't see your traffic? The traffic you see is appears incorrect?

Did you do airmon-ng check kill? What is the state of the adapter a short time after you attempt to put it in monitor mode (iw and iwconfig commands are useful)? Can you provide more specific information as to the actual chipset in use? Also, if some traffic is present, it could help to make that available so we can review as it might give clues as to the issue could be.

Bob Jones ( 2025-03-31 14:19:30 +0000 )edit

Hi Bob, Thanks for your reply. So... I can see 802.11 packets. & yes I am using airmon-ng with check kill. & after putting the adapter into monitormode, I can double check with iwconfig. & I am using the Atheros Alfa chipset. Thanks again.

va3ham ( 2025-03-31 18:15:57 +0000 )edit

I forgot to add, I have attempted Tshark, Tcpdump, & Snort, along with Wireshark, nothing worked.

va3ham ( 2025-03-31 18:17:13 +0000 )edit

You still haven't defined what nothing worked means. From my point of view, I can see 802.11 packets is exactly what you should see when you put an interface in monitor mode. You obviously expect something else; what is it? Most wireless traffic is and should be protected in transit and some WPAx variant is most often used. If you want to see the upper layers, e.g. network layer with IP addresses and above, you need to either decrypt the traffic or capture a different way.

Bob Jones ( 2025-03-31 22:02:49 +0000 )edit

I expected to see HTTP traffic as I did in the past, & also I don't understand why nothing else works either, like tcpdump.. Should I try and use some other application to packet sniff. or maybe change adapter. What's the recommendation ? Thank You.

va3ham ( 2025-03-31 22:47:37 +0000 )edit

see more comments

answered 2025-04-06 13:54:31 +0000

va3ham
1 ●1

So I did as recommended, and tried to decrypt TLS with a key log file.... & only after reading further on the internet, it only works per session, meaning every time, you have to go threw the steps again and again.

From my opinion, packet sniffing may not work anymore, only using a ethernet tap, does it actually work.

Thanks You, Bob Jones for responding to this question.

edit flag offensive delete link

Comments

Depending on how you are configuring the sslkeylog file, if the app keeps writing to it, i.e. append mode, then if you point Wireshark to that file, new sessions would automatically decrypt. I have seen tools that create a new keylog file with keys per TLS session, and yes, this becomes a drag for bulk decryption. Its also possible to automate via scripting with tshark.

Bob Jones ( 2025-04-06 22:30:32 +0000 )edit

add a comment

Wireshark & Tcpdump not working.

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Wireshark & Tcpdump not working. edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Wireshark & Tcpdump not working.