Ask Your Question
0

No packets captured on Macbook main wifi interface en0 while Monitor mode is On

asked 2019-02-19 19:37:03 +0000

JulM gravatar image

Hi everyone,

I have a very strange problem with my Macbook running macOS High Sierra (10.13.6). I was always able to get wifi capture with it using wifi main interface en0. I was simply connecting to different SSIDs and was able to start capture with Monitor Mode On in Wireshark (2.6.6)

Since a week, I'm unable to see over the air packets even if en0 interface is detected and still can see traffic. I haven't done any update of MacOS nor Wireshark.

However, I verified if packets capture was still available on en0 interface using ''Airtool'' application and it is in fact capturing packets. It creates a file that is opened by Wireshark. As most of you might know, Airtool works by specifying channel and channel width. In Wireshark I was simply connecting to SSID to capture packets and was able to see the live capture.

So I know Packet capture works on my Macbook main wifi interface en0. But unfortunately, Wireshark doesn't let me see packets for some reason.

Any help would be very appreciated. Thanks in advance!

edit retag flag offensive close merge delete

Comments

What happens if you use tcpdump to capture traffic, e.g. tcpdump -i en0 -I -w /tmp/capture.pcap. and then try to read the capture file?

Guy Harris gravatar imageGuy Harris ( 2019-02-19 20:40:03 +0000 )edit

Hi Guy, thanks for your quick reply.

After running the tcpdump for more than a minute, I have: 0 packets captured 0 packets received by filter 0 packets dropped by kernel = Capture File is empty

JulM gravatar imageJulM ( 2019-02-19 21:01:18 +0000 )edit

So, it looks like my Macbook is able to correctly sniff over the air packets when not connected to any SSID. As soon as I connect it to a SSID (can be Open, WPA2 protected, or else), the Macbook is able to start a trace but unable to see over the air packets.

Has anyone ever encountered this kind of problem?

JulM gravatar imageJulM ( 2019-02-20 18:02:49 +0000 )edit

I have the same exact problem. Running on Mojave 10.14.6.

Mike gravatar imageMike ( 2020-09-25 12:34:12 +0000 )edit

i have two macbook pro,one is macbook pro 2017,another is macbook pro 2020,they are both macos 10.15.6.

when i use macbook pro 2020,i have the same problem. but i have found a way to solve this porblem, before run wireshark ,you must disconnect from all ssid ,then you can capture 802.11 traffic.

but wireshark work well when i use macbook pro 2017 with connect a ssid.

uncle wang gravatar imageuncle wang ( 2020-11-11 10:19:51 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-09-25 19:44:19 +0000

Guy Harris gravatar image

This is probably a combination of:

  • the Wi-Fi adapter on your machine, or its driver, not supporting remaining associated with a network when in monitor mode;
  • Apple "helpfully" preventing disconnection from a network by not putting an adapter into monitor mode if it's associated with a network and, apparently, not supplying any packets.

This hack on Apple's part first appeared in Mojave with at least some hardware.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-02-19 19:37:03 +0000

Seen: 6,144 times

Last updated: Nov 11 '20

Related questions

no packets captured in monitor mode

Why does Wireshark not capture any data when in monitor mode on my Mac?

How to switch Mac OS NIC to monitor mode during use internet

Can't decrypt WPA-PSK (WPA/WPA2) even with passphrase and EAPOL Handshake

Forcing Mac OS X to reconnect in monitor mode

what is the capture/display filter to get RSSI information of WiFi users?

Can't see anything corresponding to the data packets in wireshark in monitor mode

Confused about wifi sniffing

Explanation for Difference in WLAN Captures

How do I install wireshark legacy on mac?