0

I have a wireless card (ALFA AWUS036H) in monitor mode (with airmon-ng start wlan0) on my Debian machine. In Wireshark, in "capture options", all my interfaces are in promiscuous mode.

The test network is a Wi-Fi network protected by WEP (I have the key).

In Wireshark, I only see information packets (Probe requests, beacon frames, etc.), but no "real" traffic, even if I'm using the network with another device connected to the network. I tried to follow the official documentation ( https://wiki.wireshark.org/HowToDecrypt802.11 ), but I can't see the "Decryption Keys…" button (part "Adding Keys: Wireless Toolbar"). And I thought that I could see the non-decrypted traffic nevertheless, which is not the case.

So how can I see the traffic and decrypt it? Ultimately, I want to use scapy, so I'm open to suggestions with scapy and/or Wireshark.

Improve this question

1 Answer 1

Reset to default
2

You need to make sure your capture card is capable of every flavor of signal modulation that the target devices can use. Your AWUS036H is a B/G device. If your target AP and client (the devices whose traffic you want to capture) are 802.11a-, 802.11n-, or 802.11ac-capable devices, your B/G card won't be able to capture their traffic.

Even just looking for, say, "802.11ac" isn't enough, as there are variations of 802.11ac that not all devices support: 2, 3, 4 and more spatial streams; 80MHz, 80+80, and 160MHz-wide channels; MCS 8 and 9 (256-QAM), various channels that are legal/illegal in different countries, that equipment designed for different countries may or may not support, and more.

You must also make sure your capture device is positioned "in between" the target AP and the target client. That is, where it can receive transmissions from the target AP at least as well as the target client can, and where it can receive transmissions from the target client at least as well as the target AP can.

You also need to make sure your interface is in both monitor mode and promiscuous mode (those two settings can be orthogonal; don't assume that monitor mode implies promiscuous mode on your hardware/driver), but it sounds like you already took care of that.

Improve this answer
6
  • I already use the card for classical attacks (with the aircrack suite), so I assume it's complatible with the Wi-Fi signal. And it is positionned next to the AP (there is like 30cm between them, it should be ok).
    – Shan-x
    Commented Apr 5, 2016 at 7:18
  • @Shan-x Wait, are you trying to capture your Debian box's own traffic, or some other client's traffic? Because if you're trying to capture some other client's traffic, then what I said still applies. If the target client is N-capable, and the AP is N-capable, they will talk to each other using N modulation schemes that your old B/G card has no hope of being able to demodulate. It simply lacks the radio hardware to deal with N.
    – Spiff
    Commented Apr 5, 2016 at 7:34
  • In the configuration of the router, I have Band: 2.4GHz (802.11B/g), so it should be ok, right ? The router is a Trendnet TEW-670AP.
    – Shan-x
    Commented Apr 5, 2016 at 8:24
  • 1
    @Shan-x That TRENDnet TEW-670AP is a concurrent dual-band device. If the target client (the client whose traffic you want to capture) is 5GHz-capable, it could be joining your TEW-670AP's 5GHz BSS, making your 2.4GHz-only ALFA dongle unable to see it.
    – Spiff
    Commented Apr 18, 2016 at 16:58
  • You should make it an answer, and i could give you points for it. ;)
    – Shan-x
    Commented Apr 19, 2016 at 7:41

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .