THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
0

Why can't I capture other device's packets on the Wi-Fi network?

At the ethernet packet level, I can only see packets between my router and my computer. At the IP address level, I can only see packets with my computer's IP address as either the destination or source address. I can't see any communications between the router and another computer (at the ethernet packet level) or between any 2 other computers on my network (at the IP address level). And this is despite the fact that I put a tick in the check box for promiscuous mode, for my wi-fi adapter in the Wireshark adapters settings, and made sure to select that adapter as my capture adapter. An yes, I'm using the latest NPCap driver installed by the Wireshark installer.

I'm not sure what's wrong. I'm guessing it may have something to do with the fact that my router is using WPA2 encryption, instead of being unencrypted (like an "open" wireless network). Or maybe I need to use a wired connection (rather than wireless connection) when connecting my packet inspection computer to the router. Can anybody here tell me what's wrong? And how do I fix it?

Ben321's avatar
1
Ben321
asked 2019-07-05 21:48:38 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2024-06-07 02:29:00 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Hello everyone. I have similar issues, that just did not occur in the past. Before I could packet sniff easily. & then for a long time, I didn't use it. Now with 2 different Alfa Adapters (I heard that the Atheros Chipset was better to use....so I bought it) Neither works in Ubuntu, using monitor mode etc. Recently I have wondered if it is possible to sniff with Windows 10. Again no luck, and I tried another packet sniffer (NetworkMiner), I installed Ncap Drivers, which did not work. so I tried a TP-Link Driver, and it worked normal....but still cannot sniff....in Monitor mode & Promiscuous mode.

I have been checking the internet for a few months now, and nobody seems to be able to solve the problem.

Anyways, Thanks for your time. & responses.

va3ham's avatar va3ham (2024-06-06 23:42:54 +0000) edit
add a comment see more comments

2 Answers

0

To see packets between other devices and the Acess Point you'll need to enable "Monitor Mode". See the Wiki page on WLAN capturing for more info, noting the fact that it might not work on Windows.

grahamb's avatar
23.8k
grahamb
answered 2019-07-05 22:40:25 +0000
edit flag offensive 0 remove flag delete link

Comments

Then what's the difference between Promiscuous Mode and Monitor Mode?

I had assumed that Monitor Mode was not needed to capture packets on the same router as the packet sniffing computer, and that only Promiscuous Mode was needed for that.

Furthermore, I had assumed that Monitor Mode was only needed to capture packets to networks you were not connected to, that is not connecting to any network at all and simply "sniffing" wifi packets out of the air and capturing them as raw wifi packets (and then from there capturing the ethernet packets within, and deeper layers if available, assuming that the wifi packet itself was not encrypted which would otherwise prevent deeper capture).

Ben321's avatar Ben321 (2019-07-05 22:47:33 +0000) edit

That behaviour is a "feature" of Wireless adaptors. Please read the linked wiki page for more info.

grahamb's avatar grahamb (2019-07-06 13:44:41 +0000) edit

Very interesting. Are there any adapters that DO allow promiscuous mode, without monitor mode, in Windows? I don't (right now) have any particular need to sniff packets from networks I'm not connected to, but I would like to be able to monitor all packets on my current network (which theoretically only requires promiscuous mode, and not monitor mode). And yes my network is open (not encrypted), but it still seems that promiscuous mode is crippled and behaves just as if it were in normal mode (WireShark only shows packets who's source or destination is the computer performing the packet sniffing).

Based on that wiki article, it sounds like this problem is a Windows thing, and that my idea would work fine in Linux, but it also sounds like it has something to do with which wi-fi adapter I'm using. Maybe you could point me to a ... (more)

Ben321's avatar Ben321 (2019-07-10 02:14:24 +0000) edit

There's a list of adapters for npcap here.

The issue is with the adapter driver\firmware not Wireshark or npcap. npcap asks the driver if it supports monitor mode, and if so enables the checkbox in the Wireshark UI. Even then, the driver\firmware might be defective so that it doesn't actually work.

Generally folks seem to have more success in this area with Linux.

grahamb's avatar grahamb (2019-07-10 07:47:34 +0000) edit
add a comment see more comments
0

At the ethernet packet level, I can only see packets between my router and my computer.

...

And this is despite the fact that I put a tick in the check box for promiscuous mode, for my wi-fi adapter

Ethernet and Wi-Fi are different here, even though, if you're not in monitor mode - even if you're in promiscuous mode! - the packets you see will be "faked" Ethernet packets, with a fake Ethernet header constructed from the Wi-Fi header (Wireshark doesn't do that, the adapter and its driver do that).

For Ethernet, the most likely reason why other hosts' packets don't show up in a capture is that the capture is being done on a switched network. See the Wireshark Wiki's page on Ethernet capturing for a discussion of this.

For Wi-Fi, the most likely reason is that you're not capturing in monitor mode, which is the only mode that supports capturing third-party traffic; promiscuous mode does not support that on Wi-Fi. See the Wireshark Wiki's page on Wi-Fi capturing for a discussion of this, and note that, on a "protected" network, using WEP or some version of WPA, you will also need to have Wireshark decrypt the captured packets. See the Wireshark Wiki page on decrypting 802.11.

Guy Harris's avatar
19.9k
Guy Harris
answered 2024-06-07 02:24:56 +0000, updated 2024-06-07 02:27:22 +0000
edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer