Capture on WiFi works for all but device I'm interested in

2019-01-07

I'm trying to sniff traffic to / from a Meross smart plug I have on my network. I am using wireshark in Kali on a virtual machine with a USB wifi adapter (RTL8812AU). I was able to successfully put the adapter into monitor mode and decrypt traffic on my WPA2 network, and I'm able to see other traffic such as to and from the Kali VM, traffic on my host computer, and my smartphone.

What I am not able to find is any traffic to the smart plug. According to my router, the plug has the IP of, and if I try to filter by that on wireshark I see nothing. I am able to filter by my host computer's IP, and the IP of my phone and that traffic appears perfectly normal (this is after the WPA2 handshake, decryption works correctly). When I check on the routers "traffic statistics" page it is showing that the number of packets sent / received to the smart plug increases when I turn it on and off, but Wireshark still doesn't show any data for that IP.

All these devices are connected to the same network (Only using the 2.4 for this test, 5Ghz is under a different SSID), I have no capture filters, and no display filters other than for the smart plug's IP. What could I be missing?

2019-01-07

Bob Jones

I would suggest searching for the device via its MAC address instead of ip. Ip requires decryption to be successful while the Mac will show in any case. Use something like wlan.addr == <mac>

First see if you can find the device at all, and you need data or qos-data frames to contain the IP address. It could be you are not getting all 4 eapol frames; maybe device is connected on a different channel than you expect. It’s also possible that the modulation is higher than what the monitor supports but doubt that is the case here.

What do you see when you look for that MAC address?

2019-01-07

Seen: 68 times

Jan 07