Wireshark only captures packets to or from this device

Question

I use wireshark on ubuntu 14.04 and I am trying to sniff wifi traffic of other devices in my network. I run wireshark or tshark on wlan0, start capturing packets and send some pings or open some pages on my phone, but my ubuntu laptop doesn't capture that - it only sees packages from its own ip to other ip addresses, from other ip addresses to its own ip, and broadcast packets.

Manually turning on promiscuous mode for wlan0 using sudo ip link set wlan0 promisc on doesn't help.

It looks like my wifi adapter is able to use both promiscuous mode and monitor mode because I can do sudo airmon-ng start wlan0 and a new mon0 interface will appear and I can capture its packages with wireshark, however that's not what I need. Those packages on mon0 are all of protocol 802.11 and not tcp, icmp, etc. as on wlan0.

Update

I decided to eliminate the possibility that it's ubuntu's NetworkManager or some other stuff interfering with wireshark, so I tried kali linux.

Here are the exact steps I use:

1. Load kali linux
2. Connect to my home network using gnome wireless networks widget thing.
3. Run wireshark, press Capture Options, check wlan0, check that Prom. Mode is enabled and Mon. Mode is disabled, leave everything else on default
4. Press Start
5. Ping the ip address of my kali linux laptop from my phone
6. Notice that I can see ICMP packets from my phone's IP address to my kali laptop IP and vice-versa
7. Ping 8.8.8.8 from my phone
8. Notice that I can't see any packets from my phone's IP to anywhere but I can see packets of LLC protocol from "Netgear_d9:19:e8" (that's my router I guess) to "SamsungE_2d:ad:da" (that's my phone I guess)

Answer 1

I believe you could solve your problem with airmon-ng (this should be installed by default on Kali).

Answer provided by Kurt Knochner on ask.wireshark.org Source

---

ifconfig -a

Do you see a wlan0 or wlan1 interface?

If no, your wireless card is not recognized by your kernel and there is nothing Wireshark can do about it. Stop here and ask the the people in the user forum of your Linux distribution (Ubuntu, Fedora, etc.) how to add a working driver for your wireless card.

If you do see wlan0/1, proceed with

sudo airmon-ng start wlan0 

or

sudo airmon-ng start wlan1

depending on which wireless interface you want to capture. That command should report the following message:

monitor mode enabled on mon0

Now, capture on mon0 with tcpdump and/or dumpcap.

sudo tcpdump -ni mon0 -w /var/tmp/wlan.pcap

or

sudo dumpcap -ni mon0 -w /var/tmp/wlan.pcap

Then open that file with Wireshark

wireshark -nr /var/tmp/wlan.pcap

Answer 2

Promiscuous mode rarely, if ever, does what you want on Wi-Fi devices; you'll have to capture in monitor mode. (No, there is no workaround here.)

Those packages on mon0 are all of protocol 802.11

That's because you're on an protected network, using WEP or WPA/WPA2 encryption. You will have to provide Wireshark with the password for the network and, for networks using WPA/WPA2 (which most protected networks do), you will have to, for each of the devices whose traffic you want to decrypt, force them to disconnect from the network and reconnect to the network after you start capturing, so you capture the initial EAPOL handshake. For a phone or tablet, turning them off and on again should suffice; for a laptop, closing the lid and reopening it should suffice. (You want to put them to sleep and have them wake up again.)

See the Wireshark wiki's "How to decrypt 802.11" page for details.