3

Lately I have been trying to analyze wifi traffic over my own test router. I looked on the wireshark website on how to do this and setup my own testing network.

my network:

  • dd-wrt router with WPA2 personal mixed security using tkip+aes.

  • kali linux capture machine with wireshark 1.8.5

  • android phone for producing traffic

I then put the wireless interface of my kali laptop into monitor mode user airmon-ng

airmon-ng start wlan0

To check if the created monitor interface (mon0) worked I would use airodump-ng. When I knew that my monitor interface was working, I started up Wireshark. I selected mon0 as capture interface and pressed options. In Capture options I put the mac address of my router, which I got through airodump-ng, in the capture filter area.

I then would take care of the packet decryption that would be needed for me to see the actual data. I went to the following webpage: http://wiki.wireshark.org/HowToDecrypt802.11

I followed the instructions there.(Only the way I need to put in the decryption keys is different than the key#1 system that is described on the page. I get a new window in which I need to select a security method wep,wpa-pwd or wpa-psk and input the key). I used the wireshark wpa psk generator tool to get the right pre-shared key.

http://www.wireshark.org/tools/wpa-psk.html

Essid: "testnet"

Password: "wachtwoord"

psk: 33fe484e651381b15859e539279f2991c0f5e5e751ef17f82104d4ad528718ca

I put in 2 new keys. One being wpa-pwd with wachtwoord as its value. The second being wpa-psk with the psk mentioned above as its value.

I applied all the settings, and checked the enable decryption checkbox.

So I clicked the start capture button and saw a whole bunch of beacon frames rolling in. I associated my android phone with the AP so I knew I capture the eapol packets(I checked this using the filter and I had all 4 packets).

After filtering with "data", I saw that I didn't capture any data packets.

I then expected to see the actual traffic, but this was not the case. airdecap-ng did not see any WPA packets in the capture file.

My only theory left after hours of puzzling is lack of driver support. Please tell me what I am doing wrong?

Thank you!

tl;dr: My computer does not capture 802.11 wpa2 data packets, and I can't figure out why.

Improve this question
3
  • 1
    I'm not entirely sure what you're doing, but DD-WRT (and other firmwares) will separate WiFi traffic from LAN traffic (isolation) in an attempt to prevent snooping.
    – earthmeLon
    Commented Jul 31, 2013 at 19:56
  • all the machines are on the wireless network.
    – user242329
    Commented Jul 31, 2013 at 20:02
  • What @earthmeLon means is that WiFi nodes cannot talk to other WiFi nodes. It is a feature to make coffee shops safer.
    – rjt
    Commented Jun 14, 2014 at 8:48

1 Answer 1

Reset to default
2

If your capture filter has the MAC address of your router's wireless interface, then you won't see any data packets from your clients. Your clients only talk to the router's wireless interface MAC address during association/authentication. From thereafter, it will talk to the MAC of the device it's trying to talk to or the MAC address of your router's routing interface.

Improve this answer

You must log in to answer this question.