Wireshark only capturing beacon frames
Here are a few possible reasons, in rough order of likelihood:
A common reason for not seeing other devices' unicast traffic in a monitor-mode packet trace is that you forgot to also set promiscuous mode.
Another common reason is that the traffic you were looking for wasn't on the channel you were sniffing on. This can happen if you have a dual-band concurrent AP and you were sniffing on its 2.4GHz channel but not its 5GHz channel. Or if your network is made up of more than one AP, and you were sniffing on the channel of one AP, while your target client was joining a different AP on a different channel.
Another reason could be that those other devices are communicating using a different flavor of 802.11 than what your sniffer card supports. For example, if your sniffer card is only 2x2:2 (2 spatial streams), it won't be able to capture packets sent using 3 spatial streams. Or if it's only capable of 20MHz-wide channels, it won't be able to capture packets that were sent using 40- or 80MHz-wide channels. If your card is only 802.11n, it won't be able to capture 802.11ac.
Another reason would be if your sniffer machine is not in range of the other devices whose traffic you were hoping to capture. "In range" is tricky because modern technologies like beamforming optimize the signal for the position where the intended recipient is; there's no guarantee that an unintended recipient nearby will receive enough signal strength to demodulate (that is, successfully receive, much less decrypt) the signals.
Related videos on Youtube
10 : 38
02 : 54
12 : 26
34 : 31
33 : 26
Josh
Updated on September 18, 2022Comments
-
Josh over 1 year
I am trying to sniff my own network to capture http traffic. On airodump my network security show "WPA - TKIP - PSK", so I went to Wireshark > Edit > Preferences > Protocols > IEEE 802.11 > Enabled encryption. And in the key fields I entered:
wpa-psk:the key i got from http://www.wireshark.org/tools/wpa-psk.html by entering my plain text pwd and ssid wpa-pwd:mypwd:my ssid wpa-pwd:mypwdThen I set my wireless adapter (awus036h) to monitor mode with airmon-ng start wlan0, wh ich brings up a new interface (mon0).
Then I launch Wireshark and start a new capture on mon0 interface, but all I get are beacon frames. I tried the filters wlan.addr == "my router's mac" and only see whats shown on this image:
The deauth packets sniffed comes from an aireplay attack I ran on myself to see if it would capture them. I even tried the filter just "http", and then I see no packets at all. And I am also connected on my laptop to the same router and browsing the internet at the same time I am sniffing.
What am I doing wrong?
-
Spiff about 10 yearsI should ask: Have you first confirmed that you can capture the encrypted data frames, when you don't enter keys?
-
