Cannot decrypt POST requests in monitor mode [closed]
Hello, wireshark community.
I put Alfa adapter in monitor mode and ran airodump-ng wlan0mon -w out --essid <SSID name> --channel 13. Then I opened this file via wireshark, entered the valid wpa-pwd decryption key for the specified SSID and filter packets to display http only.
I hit aavtrain.com, which is http only, and entered some username and password. Clicked submit and back to wireshark. I see only http GET requests to aavtrain.com, but I'm unable to see the post request that I sent no matter how many times I tried.
Updated 1
I noticed that instead of POST request I see TCP ACKed unseen segment warning. But I don't understand why it didn't capture this packet. Wireshark FAQ explains that it might be due to my interface was not fast enough but why it is able to capture all GET requests then?
Updated 2
The issue turned out to be not persistent while I thought it was.
Do you see the same problem when capturing with Wireshark on the default interface, not in monitor-mode?
I can see POST requests in wireshark through the same interface in managed mode.
Are you capturing and communicating on the same interface, at the same time?
@Bob, No while in monitor mode and yes in managed mode.
Making the capture file available would speed up analysis but it may contain sensitive information. If this is a consistent problem - not just a single frame missing - I would suspect it's a capture issue. For whatever reason the modulation used to send the particular frame you are looking for can't be picked up. Frame 8187 is an ACK but I don't see a data frame. I don't know what filter you might have in place, nor all the MACs and IP mappings to help deduce if this is part of the missing exchange. Then we might need a 2nd capture system to see if this frame is picked up there; maybe try a Macbook or a different capture adapter. Without the capture I can't tell at what modulations/signal strengths are in play to know what may have happened here. But also your problem statement ...(more)