Hi , I am trying to sniff the packets with airpcap that I send with the cc3200 mod launch board ( texas instruments). It seems that the packets are sent ( I can see it in the terminal where I have the successfull of operation) but I can see in wireshark only 802.11 and not udp ( i would like to see the udp traffic from the board to a smartphone). In the smartphone , the connection is ok and the server is running without problem.. What is the problem ? asked 01 Apr '15, 05:31  Paolo Rossi edited 06 Apr '15, 07:34  Bill Meier ♦♦ |
One Answer:
The problem is probably that the traffic is on a "protected" network, and therefore encrypted, and either Wireshark doesn't know the password for the network or, if it's a WPA/WPA2 network, the capture doesn't include the initial "EAPOL handshake". Either of those would mean that Wireshark can't decrypt the traffic to discover that it's UDP (or TCP or...) traffic, and can't get past the 802.11 layer. See the Wireshark Wiki "how to decrypt 802.11" page for more information. answered 01 Apr '15, 15:51  Guy Harris ♦♦ Why protected ? I don't use a password , the network is free.. but maybe I don't know the bases of 802.11 transmission. You are saying that in each case to decrypt the packets if I use 802.11 , I need of one key... It is strange because for udp transmission I don't need the connection.. If you can explain well , I would be very happy. Thanks for the help (02 Apr '15, 01:06) Paolo Rossi Can you share a capture in a publicly accessible spot, e.g. CloudShark? (02 Apr '15, 02:31) grahamb ♦ https://www.dropbox.com/s/7jvwxnl5zkf679f/Prova_forum.pcapng?dl=0 I share the dropbox link for the capture in wire shark.. Transmitter address: Texans 04:03:07 (5c:31:3e:04:03:07) Destination address: 8a:30:8a:4e:a6:6c (8a:30:8a:4e:a6:6c) I can see nothing about the udp packets.. There is only the procedure to establish the connection. What Must I set in wire-shark for seeing the udp packets ?? I tried to change the channel but the result is the same.. (06 Apr '15, 05:51) Paolo Rossi @Paolo Rossi: I converted your answer to a comment, as that's how this Q&A site works. See FAQ. (06 Apr '15, 06:10) Kurt Knochner ♦ FWIW (and not knowing too much about 802.11): In the first capture I see that many of the frames from 5c:31:.... have the "data is protected" flag set which I believe means that the data is encrypted. In the second capture I don't see much of anything for 5c:31:... and 8a:30:... other than management and control frames. Correction: I don't see anything in the 2nd capture for (8a:30:8a:4e:a6:6c) (06 Apr '15, 08:24) Bill Meier ♦♦ Hi Kurt Knochner, In the first capture you can see something from 5C:31... ?? I am looking at now but I see only Probe request.. are you sure ?? How can I see the setting for the protected data ? (08 Apr '15, 06:40) Paolo Rossi @Paolo Rossi: Again, your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information. (08 Apr '15, 08:03) Jaap ♦ Yes,I'm sure. See,for example, frame 838 in the first capture. Note that in that frame, (and some number following) that the protected flag is set under QOS Data/Frame Control Field/Flags If you haven't done so, use a display filter for 'wlan.addr == 5c:31:3e:04:03:07' to select all the packets sent/received to that address. (08 Apr '15, 15:07) Bill Meier ♦♦ showing 5 of 8 show 3 more comments |
https://www.dropbox.com/s/7jvwxnl5zkf679f/Prova_forum.pcapng?dl=0 https://www.dropbox.com/s/kiu1xz2hnf41j4m/Prova_forum_2.pcapng?dl=0
I share the dropbox link for the capture in wire shark.. Transmitter address: Texans 04:03:07 (5c:31:3e:04:03:07) Destination address: 8a:30:8a:4e:a6:6c (8a:30:8a:4e:a6:6c) I can see nothing about the udp packets.. There is only the procedure to establish the connection. What Must I set in wire-shark for seeing the udp packets ?? I tried to change the channel but the result is the same..