This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can' t see http traffic in monitor mode.

0

I used airmon to create monitor interface, when i starting interface monitoring in wireshark i can see only probes, beacons and QoS exchanges. I'm actually testing from two laptops.

asked 11 Feb '14, 06:10

Emiliano%20Riva's gravatar image

Emiliano Riva
11113
accept rate: 0%

Some questions:

  • what is your OS and OS version of the Wireshark system?
  • what is your Wireshark version?
  • how do you capture the traffic (with Wireshark, or other tools)?
  • on which interface do you capture (wlan0 or mon0)?
  • is it possible to post a sample capture file somewhere (google drive, dropbox, cloudshark.org)?
(11 Feb '14, 06:37) Kurt Knochner ♦

Thanks for your reply, i'm on ubuntu 13.10 with b43 drivers for b4312 chipset, actually i'm capturing traffic with Wireshark Version 1.10.2 on mon0 interface created with airmon-ng. GemetekTe is my laptop EdimaxTe my desktop

https://dl.dropboxusercontent.com/u/75167669/capture.txt this is the link of a captured text with Tshark.

alt text

(11 Feb '14, 07:48) Emiliano Riva

Now that i have disabled wpa2 from the router i can see also other packages. Can' t Wireshark work with encrypted data? I tried to enable decription and then i set one key resulting in my litteral password, is this correct?

(11 Feb '14, 10:15) Emiliano Riva

One Answer:

0

Can' t Wireshark work with encrypted data?

Sure, see the Wireshark Wiki page on decrypting 802.11 traffic.

This question comes up a lot though so search for other questions and answers.

answered 11 Feb '14, 14:16

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 14 Feb '14, 18:03

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

So, thanks for reply, i tested to decrypt the example in the bottom of the page and it work properly, but not with traffic in my network.

This is my level of encryption:

IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : TKIP Pairwise Ciphers (2) : TKIP CCMP Authentication Suites (1) : PSK Preauthentication Supported

I have capture the four EAPOL required.

What am I doing wrong?

(14 Feb '14, 15:40) Emiliano Riva

What does it do instead of working correctly? Does it still show the data packets as just data, rather than decrypting them? Does it decrypt them but give garbage data? Does it do something else?

(14 Feb '14, 18:04) Guy Harris ♦♦

Yes,packets are showed only as data, I solved disabling Protection bit and initialization vector.

(15 Feb '14, 03:50) Emiliano Riva