No packets captured on Macbook main wifi interface en0 while Monitor mode is On

asked 2019-02-19 19:37:03 +0000

JulM gravatar image

Hi everyone,

I have a very strange problem with my Macbook running macOS High Sierra (10.13.6). I was always able to get wifi capture with it using wifi main interface en0. I was simply connecting to different SSIDs and was able to start capture with Monitor Mode On in Wireshark (2.6.6)

Since a week, I'm unable to see over the air packets even if en0 interface is detected and still can see traffic. I haven't done any update of MacOS nor Wireshark.

However, I verified if packets capture was still available on en0 interface using ''Airtool'' application and it is in fact capturing packets. It creates a file that is opened by Wireshark. As most of you might know, Airtool works by specifying channel and channel width. In Wireshark I was simply connecting to SSID to capture packets and was able to see the live capture.

So I know Packet capture works on my Macbook main wifi interface en0. But unfortunately, Wireshark doesn't let me see packets for some reason.

Any help would be very appreciated. Thanks in advance!

edit retag flag offensive close merge delete

Comments

What happens if you use tcpdump to capture traffic, e.g. tcpdump -i en0 -I -w /tmp/capture.pcap. and then try to read the capture file?

Guy Harris gravatar imageGuy Harris ( 2019-02-19 20:40:03 +0000 )edit

Hi Guy, thanks for your quick reply.

After running the tcpdump for more than a minute, I have: 0 packets captured 0 packets received by filter 0 packets dropped by kernel = Capture File is empty

JulM gravatar imageJulM ( 2019-02-19 21:01:18 +0000 )edit

So, it looks like my Macbook is able to correctly sniff over the air packets when not connected to any SSID. As soon as I connect it to a SSID (can be Open, WPA2 protected, or else), the Macbook is able to start a trace but unable to see over the air packets.

Has anyone ever encountered this kind of problem?

JulM gravatar imageJulM ( 2019-02-20 18:02:49 +0000 )edit