This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can not capture tcp packets (rt2800usb driver)

0

Hi everybody

I am using Alfa AWUS036H usb Wifi device with Arch Linux (kernel 4.3.3) to capture wifi traffic. I have setup an open access point which should be easy to sniff. I tried for many days but couldn't catch any tcp data. There were numerous protocols like 802.11 broadcasts, NBNS, UDP, ICMPv6, ARP, SSDP, LLMNR etc but no tcp.

Then I booted a live kali cd and repeated the same procedure exactly. This time everything worked fine and there was plentiful tcp traffic.

My question is: While both Arch and Kali systems are using the same driver (rt2800usb), why can't I capture tcp on Arch?

Regards



edit:

Just tested everything once again. Both Kali and Arch are using version 2.3.0 of rt2800usb driver. I put the device in monitor mode using 'airmon-ng start wlan0'. Then start capturing data using 'airodump-ng wlan0mon' so I start seeing info about nearby access points. At this stage I start data capture on Wireshark. Here onwards, Kali gives loads of tcp data but Arch doesn't capture a single tcp packet.

asked 10 Jan '16, 10:30

fulcrumm's gravatar image

fulcrumm
6113
accept rate: 0%

edited 10 Jan '16, 14:48


One Answer:

0

My question is: While both Arch and Kali systems are using the same driver (rt2800usb), why can't I capture tcp on Arch?

if you really (really) repeated the EXACT same procedure on both systems, the only logical answer would be: The driver version in Arch Linux and Kali is different and that's the reason why it fails on Arch and works on Kali.

Regards
Kurt

answered 10 Jan '16, 13:08

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Please see the updated post.

(10 Jan '16, 14:48) fulcrumm

O.K. then maybe different versions of libpcap, Wireshark or even airodump-ng?

(11 Jan '16, 08:08) Kurt Knochner ♦

Yes, Kali and Arch were using different versions of all these software. It took hours but I was finally able to install the same versions on Arch as those on Kali (libpcap 1.6.2, aircrack-ng 1:1.2-2-rc2, wireshark 1.12.6). Still no luck capturing any TCP.

(13 Jan '16, 05:07) fulcrumm

O.K. one last thing. Can you please check TCP offloading in both kernels?

ethtool -k

is there any difference that could explain the behaviour?

(13 Jan '16, 05:12) Kurt Knochner ♦