This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I capture HTTP on WLAN with AirPCap?

0

Hello all,

I am using WireShark 1.12.0 and an AirPCap from Riverbed to analyze communication between a Wi-Fi device (it's an RN-171-EK, so I'll call it an RN-171 from here on out) and a server. I am not a network admin, so I am looking for some remedial assistance (read: I don't know what I'm doing).

I can capture some traffic between my RN-171 and my wireless router because I can see the MAC addresses of each in the source and destination fields. These packets are all categorized as "802.11" in the protocol field and the info in all of the packets are either QoS Data or Probe Request.

What I was expecting (hoping, really) to see was IP addresses in the source and destination fields and "HTTP" in the protocol field, with the actual calls to the web service and the response from the server in the Info field.

The RN-171 reports which channel it is using when it associates with my wireless network, so I adjust the channel I am monitoring appropriately. I have tried toggling the promiscuous mode and the "capture packets in pcap-ng format" settings, but I find I am blindly making changes because I don't know how to configure the WireShark/AirPCap combo appropriately to see the actual HTTP traffic.

Can anyone help me with how to configure the settings to see HTTP traffic?

Thank you,

-Ted

asked 10 Sep '14, 05:51

Fiasco's gravatar image

Fiasco
16114
accept rate: 0%

1

Is the WLAN encrypted? If it is, you won't see anything useful like HTTP before decrypting it with the Decryption key.

(10 Sep '14, 06:23) Jasper ♦♦

Thank you Jasper.

The WLAN is indeed encrypted. I entered the SSID and Passphrase via the Decryption Keys Management window. I have double-checked the SSID and Passphrase and they are correct. And now triple-checked, just to make sure. I also have "Wireshark" selected as the decryption mode.

I should have mentioned this in the original post. I'm sure I've not mentioned much more, but I don't know what is important to take note of. Does it matter the version of winpcap (4.1.3) installed alongside the AirPCap software (also 4.1.3)?

(10 Sep '14, 06:41) Fiasco

Ok, I have to admit my WLAN analysis skills are quite limited - if everything works fine you should see decrypted traffic. If you don't there may be something wrong, but I'm no expert in troubleshooting WLAN traffic. Maybe someone else can help out here.

I think winpcap and AirPCap versions are fine.

(10 Sep '14, 06:51) Jasper ♦♦

Okay, thanks for trying Jasper.

(10 Sep '14, 06:53) Fiasco

One Answer:

2

In encrypted (AES/TKIP) scenarios you have have the handshake from your wireless client with the accesspoint inside the capture, because it contains random values which will be unique for the encryption key generation from the PSK.

Did you start your capture before connecting to the wireless network? Otherwise there is no way of decrypting the traffic. You can check by searching for EAPOL packets within the trace file hinting for the key exchange.

answered 10 Sep '14, 08:32

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

Brilliant, Landi. That appears to have been my problem. I "thumbs up"ed your answer, but I don't see how to mark it as the solution.

Now that I've taken your advice, I think I remember reading that somewhere early on, but it slipped through the cracks with all the new information I was taking in at the time.

Thank you for setting me straight.

-Ted

(10 Sep '14, 10:58) Fiasco

I "thumbs up"ed your answer, but I don't see how to mark it as the solution.

That's because it wasn't an answer, it was just a comment. I've converted it to an answer (and moved your comment on it to be a comment on the answer), so you can now mark it as the solution.

(10 Sep '14, 11:30) Guy Harris ♦♦