4

I am trying to sniff my own network to capture http traffic. On airodump my network security show "WPA - TKIP - PSK", so I went to Wireshark > Edit > Preferences > Protocols > IEEE 802.11 > Enabled encryption. And in the key fields I entered:

wpa-psk:the key i got from http://www.wireshark.org/tools/wpa-psk.html by 
        entering my plain text pwd and ssid
wpa-pwd:mypwd:my ssid
wpa-pwd:mypwd

Then I set my wireless adapter (awus036h) to monitor mode with airmon-ng start wlan0, wh ich brings up a new interface (mon0).

Then I launch Wireshark and start a new capture on mon0 interface, but all I get are beacon frames. I tried the filters wlan.addr == "my router's mac" and only see whats shown on this image:

The deauth packets sniffed comes from an aireplay attack I ran on myself to see if it would capture them. I even tried the filter just "http", and then I see no packets at all. And I am also connected on my laptop to the same router and browsing the internet at the same time I am sniffing.

What am I doing wrong?

Improve this question
1
  • I should ask: Have you first confirmed that you can capture the encrypted data frames, when you don't enter keys?
    – Spiff
    Commented Apr 21, 2014 at 21:07

2 Answers 2

Reset to default
2

Here are a few possible reasons, in rough order of likelihood:

  • A common reason for not seeing other devices' unicast traffic in a monitor-mode packet trace is that you forgot to also set promiscuous mode.

  • Another common reason is that the traffic you were looking for wasn't on the channel you were sniffing on. This can happen if you have a dual-band concurrent AP and you were sniffing on its 2.4GHz channel but not its 5GHz channel. Or if your network is made up of more than one AP, and you were sniffing on the channel of one AP, while your target client was joining a different AP on a different channel.

  • Another reason could be that those other devices are communicating using a different flavor of 802.11 than what your sniffer card supports. For example, if your sniffer card is only 2x2:2 (2 spatial streams), it won't be able to capture packets sent using 3 spatial streams. Or if it's only capable of 20MHz-wide channels, it won't be able to capture packets that were sent using 40- or 80MHz-wide channels. If your card is only 802.11n, it won't be able to capture 802.11ac.

  • Another reason would be if your sniffer machine is not in range of the other devices whose traffic you were hoping to capture. "In range" is tricky because modern technologies like beamforming optimize the signal for the position where the intended recipient is; there's no guarantee that an unintended recipient nearby will receive enough signal strength to demodulate (that is, successfully receive, much less decrypt) the signals.

Improve this answer
0

I have not witnessed this behaviour, so in a way you might well say I do not know what I am talking about.

However, I own the same network card, and I have seen it behaving erratically on many occasions. In particular, it worked satisfactorily under BT, but very erratically under Kali. Strange, you might say, given that the drivers are connected to the kernel, not the distro, yet this is exactly my experience.

What I can suggest is first to use aircrack-ng before trying wireshark, because it provides some more informative error messages. Then, to kill the programs airmon-ng complains about when you place the card in monitor mode (typically, network-manager, dhclient, avahi-daemon). Lastly, to perform the usual injection test, 

 aireplay-ng -9 wlan0

because of course this is the ultimate test in the adequacy of the driver.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .