Skip to main content
Super User

Return to Answer

typo
Source Link
Spiff
Spiff
  • 105.7k
  • 17
  • 186
  • 244

Using Wireshark to capture unicast traffic between two other devices on an 802.11 network requires using 802.11 monitor mode, which is tricky to pull off. If you were only capturing in promiscuous mode (which is common for wired Ethernet packet captures on hubs or via port mirroring on managed switches), then you wouldn't have seen any unicast traffic to/from other wireless devices.

You should read up on the Wireshark site about how to do 802.11 monitor mode packet captures, and how to decrypt the unicast data frames you capture, if the network uses WPA2-PSK (or original WPA-PSK or even WEP).

Here are some highlights of what you need to deal with:

  • In your Wireshark machine, you must have a WNIC and driver that supports 802.11 monitor mode.
  • Your monitor-mode-capable WNIC must support all the same flavors of 802.11 transmissions that your AP and the target wireless device (your phone) support. For example, if your AP and phone both support 802.11ac, but your monitor mode WNIC doesn't, it won't be able to receive those 802.11ac transmissions. Even if all three devices support 802.11ac, if the AP and phone support, say, 2 spatial streams (a.k.a. "2x2:2"), but your monitor mode WNIC only supports 1 spatial stream (1x1:1), then your Wireshark machine won't be able to see anything your phone or AP transmit using 2 spatial streams.
  • If your Wireshark machine is too far from the AP and wireless client, it might not get enough signal strength to be able to receive the packets reliablereliably.
  • If your car's AP uses WPA2-PSK (or original WPA-PSK), and you have no option to disable security, then in order to decrypt traffic to/from the phone, you must capture the WPA2-PSK 4-way handshake that happens when the phone joins the network. Capturing that handshake, and knowing the PSK or passphrase for the network, allows you to decrypt all of the packets you capture from that session. But if the phone falls asleep or otherwise leaves and rejoins the network, that's a new session and you'll need to be sure to capture the WPA2 4-way handshake for that new session if you want to decrypt any of the packets from that new session.

Using Wireshark to capture unicast traffic between two other devices on an 802.11 network requires using 802.11 monitor mode, which is tricky to pull off. If you were only capturing in promiscuous mode (which is common for wired Ethernet packet captures on hubs or via port mirroring on managed switches), then you wouldn't have seen any unicast traffic to/from other wireless devices.

You should read up on the Wireshark site about how to do 802.11 monitor mode packet captures, and how to decrypt the unicast data frames you capture, if the network uses WPA2-PSK (or original WPA-PSK or even WEP).

Here are some highlights of what you need to deal with:

  • In your Wireshark machine, you must have a WNIC and driver that supports 802.11 monitor mode.
  • Your monitor-mode-capable WNIC must support all the same flavors of 802.11 transmissions that your AP and the target wireless device (your phone) support. For example, if your AP and phone both support 802.11ac, but your monitor mode WNIC doesn't, it won't be able to receive those 802.11ac transmissions. Even if all three devices support 802.11ac, if the AP and phone support, say, 2 spatial streams (a.k.a. "2x2:2"), but your monitor mode WNIC only supports 1 spatial stream (1x1:1), then your Wireshark machine won't be able to see anything your phone or AP transmit using 2 spatial streams.
  • If your Wireshark machine is too far from the AP and wireless client, it might not get enough signal strength to be able to receive the packets reliable.
  • If your car's AP uses WPA2-PSK (or original WPA-PSK), and you have no option to disable security, then in order to decrypt traffic to/from the phone, you must capture the WPA2-PSK 4-way handshake that happens when the phone joins the network. Capturing that handshake, and knowing the PSK or passphrase for the network, allows you to decrypt all of the packets you capture from that session. But if the phone falls asleep or otherwise leaves and rejoins the network, that's a new session and you'll need to be sure to capture the WPA2 4-way handshake for that new session if you want to decrypt any of the packets from that new session.

Using Wireshark to capture unicast traffic between two other devices on an 802.11 network requires using 802.11 monitor mode, which is tricky to pull off. If you were only capturing in promiscuous mode (which is common for wired Ethernet packet captures on hubs or via port mirroring on managed switches), then you wouldn't have seen any unicast traffic to/from other wireless devices.

You should read up on the Wireshark site about how to do 802.11 monitor mode packet captures, and how to decrypt the unicast data frames you capture, if the network uses WPA2-PSK (or original WPA-PSK or even WEP).

Here are some highlights of what you need to deal with:

  • In your Wireshark machine, you must have a WNIC and driver that supports 802.11 monitor mode.
  • Your monitor-mode-capable WNIC must support all the same flavors of 802.11 transmissions that your AP and the target wireless device (your phone) support. For example, if your AP and phone both support 802.11ac, but your monitor mode WNIC doesn't, it won't be able to receive those 802.11ac transmissions. Even if all three devices support 802.11ac, if the AP and phone support, say, 2 spatial streams (a.k.a. "2x2:2"), but your monitor mode WNIC only supports 1 spatial stream (1x1:1), then your Wireshark machine won't be able to see anything your phone or AP transmit using 2 spatial streams.
  • If your Wireshark machine is too far from the AP and wireless client, it might not get enough signal strength to be able to receive the packets reliably.
  • If your car's AP uses WPA2-PSK (or original WPA-PSK), and you have no option to disable security, then in order to decrypt traffic to/from the phone, you must capture the WPA2-PSK 4-way handshake that happens when the phone joins the network. Capturing that handshake, and knowing the PSK or passphrase for the network, allows you to decrypt all of the packets you capture from that session. But if the phone falls asleep or otherwise leaves and rejoins the network, that's a new session and you'll need to be sure to capture the WPA2 4-way handshake for that new session if you want to decrypt any of the packets from that new session.
added 160 characters in body
Source Link
Spiff
Spiff
  • 105.7k
  • 17
  • 186
  • 244

Using Wireshark to capture unicast traffic between two other devices on an 802.11 network requires using 802.11 monitor mode, which is tricky to set uppull off. If you were only capturing in promiscuous mode (which is common for wired Ethernet packet captures on hubs or via port mirroring on managed switches), then you wouldn't have seen any unicast traffic to/from other wireless devices.

You should read up on the Wireshark site about how to do 802.11 monitor mode packet captures, and how to decrypt the unicast data frames you capture, if the network uses WPA2-PSK (or original WPA-PSK or even WEP).

Here are some highlights of what you need to deal with:

  • In your Wireshark machine, you must have a WNIC and driver that supports 802.11 monitor mode.
  • Your monitor-mode-capable WNIC must support all the same flavors of 802.11 transmissions that your AP and the target wireless device (your phone) support. For example, if your AP and phone both support 802.11ac, but your monitor mode WNIC doesn't, it won't be able to receive those 802.11ac transmissions. Even if all three devices support 802.11ac, if the AP and phone support, say, 2 spatial streams (a.k.a. "2x2:2"), but your monitor mode WNIC only supports 1 spatial stream (1x1:1), then your Wireshark machine won't be able to see anything your phone or AP transmit using 2 spatial streams.
  • If your Wireshark machine is too far from the AP and wireless client, it might not get enough signal strength to be able to receive the packets reliable.
  • If your car's AP uses WPA2-PSK (or original WPA-PSK), and you have no option to disable security, then in order to decrypt traffic to/from the phone, you must capture the WPA2-PSK 4-way handshake that happens when the phone joins the network. Capturing that handshake, and knowing the PSK or passphrase for the network, allows you to decrypt all of the packets you capture from that session. But if the phone falls asleep or otherwise leaves and rejoins the network, that's a new session and you'll need to be sure to capture the WPA2 4-way handshake for that new session if you want to decrypt any of the packets from that new session.

Using Wireshark to capture unicast traffic between two other devices on an 802.11 network requires using 802.11 monitor mode, which is tricky to set up. If you were only capturing in promiscuous mode (which is common for wired Ethernet packet captures on hubs or via port mirroring on managed switches), then you wouldn't have seen any unicast traffic to/from other wireless devices.

You should read up on the Wireshark site about how to do 802.11 monitor mode packet captures, and how to decrypt the unicast data frames you capture, if the network uses WPA2-PSK (or original WPA-PSK or even WEP).

Here are some highlights of what you need to deal with:

  • In your Wireshark machine, you must have a WNIC and driver that supports 802.11 monitor mode.
  • Your monitor-mode-capable WNIC must support all the same flavors of 802.11 transmissions that your AP and the target wireless device (your phone) support. For example, if your AP and phone both support 802.11ac, but your monitor mode WNIC doesn't, it won't be able to receive those 802.11ac transmissions. Even if all three devices support 802.11ac, if the AP and phone support, say, 2 spatial streams (a.k.a. "2x2:2"), but your monitor mode WNIC only supports 1 spatial stream (1x1:1), then your Wireshark machine won't be able to see anything your phone or AP transmit using 2 spatial streams.
  • If your car's AP uses WPA2-PSK (or original WPA-PSK), and you have no option to disable security, then in order to decrypt traffic to/from the phone, you must capture the WPA2-PSK 4-way handshake that happens when the phone joins the network. Capturing that handshake, and knowing the PSK or passphrase for the network, allows you to decrypt all of the packets you capture from that session. But if the phone falls asleep or otherwise leaves and rejoins the network, that's a new session and you'll need to be sure to capture the WPA2 4-way handshake for that new session if you want to decrypt any of the packets from that new session.

Using Wireshark to capture unicast traffic between two other devices on an 802.11 network requires using 802.11 monitor mode, which is tricky to pull off. If you were only capturing in promiscuous mode (which is common for wired Ethernet packet captures on hubs or via port mirroring on managed switches), then you wouldn't have seen any unicast traffic to/from other wireless devices.

You should read up on the Wireshark site about how to do 802.11 monitor mode packet captures, and how to decrypt the unicast data frames you capture, if the network uses WPA2-PSK (or original WPA-PSK or even WEP).

Here are some highlights of what you need to deal with:

  • In your Wireshark machine, you must have a WNIC and driver that supports 802.11 monitor mode.
  • Your monitor-mode-capable WNIC must support all the same flavors of 802.11 transmissions that your AP and the target wireless device (your phone) support. For example, if your AP and phone both support 802.11ac, but your monitor mode WNIC doesn't, it won't be able to receive those 802.11ac transmissions. Even if all three devices support 802.11ac, if the AP and phone support, say, 2 spatial streams (a.k.a. "2x2:2"), but your monitor mode WNIC only supports 1 spatial stream (1x1:1), then your Wireshark machine won't be able to see anything your phone or AP transmit using 2 spatial streams.
  • If your Wireshark machine is too far from the AP and wireless client, it might not get enough signal strength to be able to receive the packets reliable.
  • If your car's AP uses WPA2-PSK (or original WPA-PSK), and you have no option to disable security, then in order to decrypt traffic to/from the phone, you must capture the WPA2-PSK 4-way handshake that happens when the phone joins the network. Capturing that handshake, and knowing the PSK or passphrase for the network, allows you to decrypt all of the packets you capture from that session. But if the phone falls asleep or otherwise leaves and rejoins the network, that's a new session and you'll need to be sure to capture the WPA2 4-way handshake for that new session if you want to decrypt any of the packets from that new session.
Source Link
Spiff
Spiff
  • 105.7k
  • 17
  • 186
  • 244

Using Wireshark to capture unicast traffic between two other devices on an 802.11 network requires using 802.11 monitor mode, which is tricky to set up. If you were only capturing in promiscuous mode (which is common for wired Ethernet packet captures on hubs or via port mirroring on managed switches), then you wouldn't have seen any unicast traffic to/from other wireless devices.

You should read up on the Wireshark site about how to do 802.11 monitor mode packet captures, and how to decrypt the unicast data frames you capture, if the network uses WPA2-PSK (or original WPA-PSK or even WEP).

Here are some highlights of what you need to deal with:

  • In your Wireshark machine, you must have a WNIC and driver that supports 802.11 monitor mode.
  • Your monitor-mode-capable WNIC must support all the same flavors of 802.11 transmissions that your AP and the target wireless device (your phone) support. For example, if your AP and phone both support 802.11ac, but your monitor mode WNIC doesn't, it won't be able to receive those 802.11ac transmissions. Even if all three devices support 802.11ac, if the AP and phone support, say, 2 spatial streams (a.k.a. "2x2:2"), but your monitor mode WNIC only supports 1 spatial stream (1x1:1), then your Wireshark machine won't be able to see anything your phone or AP transmit using 2 spatial streams.
  • If your car's AP uses WPA2-PSK (or original WPA-PSK), and you have no option to disable security, then in order to decrypt traffic to/from the phone, you must capture the WPA2-PSK 4-way handshake that happens when the phone joins the network. Capturing that handshake, and knowing the PSK or passphrase for the network, allows you to decrypt all of the packets you capture from that session. But if the phone falls asleep or otherwise leaves and rejoins the network, that's a new session and you'll need to be sure to capture the WPA2 4-way handshake for that new session if you want to decrypt any of the packets from that new session.