Cannot decrypt POST requests in monitor mode [closed]
Hello, wireshark community.
I put Alfa adapter in monitor mode and ran airodump-ng wlan0mon -w out --essid <SSID name> --channel 13. Then I opened this file via wireshark, entered the valid wpa-pwd decryption key for the specified SSID and filter packets to display http only.
I hit aavtrain.com, which is http only, and entered some username and password. Clicked submit and back to wireshark. I see only http GET requests to aavtrain.com, but I'm unable to see the post request that I sent no matter how many times I tried.
Updated 1
I noticed that instead of POST request I see TCP ACKed unseen segment warning. But I don't understand why it didn't capture this packet. Wireshark FAQ explains that it might be due to my interface was not fast enough but why it is able to capture all GET requests then?
Updated 2
The issue turned out to be not persistent while I thought it was.
Do you see the same problem when capturing with Wireshark on the default interface, not in monitor-mode?
I can see POST requests in wireshark through the same interface in managed mode.
Are you capturing and communicating on the same interface, at the same time?
@Bob, No while in monitor mode and yes in managed mode.
Making the capture file available would speed up analysis but it may contain sensitive information. If this is a consistent problem - not just a single frame missing - I would suspect it's a capture issue. For whatever reason the modulation used to send the particular frame you are looking for can't be picked up. Frame 8187 is an ACK but I don't see a data frame. I don't know what filter you might have in place, nor all the MACs and IP mappings to help deduce if this is part of the missing exchange. Then we might need a 2nd capture system to see if this frame is picked up there; maybe try a Macbook or a different capture adapter. Without the capture I can't tell at what modulations/signal strengths are in play to know what may have happened here. But also your problem statement ...(more)
@Bob, thank you for helping me. The issue appeared to be not persistent. For whatever reasons, yesterday I tried airodump-ng, wireshark and tcpdump on aavtrain.com with no luck (I get used to testing on their site because they serve HTTP). Today I noticed that they became HTTPS (I got suspicious when I stopped capturing any requests that I sent to them, including GET) so I switched to another test login page and all 3 instruments I mentioned above worked well and were able to capture my GET and POST requests. I should have tried different domains in the first place. Now I'm not sure whether the issue was with aavtrain.com only or its behaviour is not consistent. But in any event, I know that at least in some cases I can capture POST requests. I'm closing this issue.