Cannot capture unicast WLAN packets from any station
I am trying to sniff regular data frames over WLAN with Wireshark, but am unable to capture ANY unicast frames at all.
I have created a monitor mode virtual interface (mon0) of my WLAN interface using the iw command. I get broadcast/multicast packets, as well as a ton of management/control frames, but no unicast packets, not even from the capture PC that I am running Wireshark from, let alone from any other WLAN devices on the network.
I am running Arch Linux (Linux 5.0.10) using a TP-Link WLAN adapter with a Qualcomm Atheros AR9287 chipset. I would be grateful if anyone could suggest a reason why this is not working properly?
Comments
It is not entirely clear if you are trying to do this, but one suggestion: don't try to capture in monitor mode from an adapter that is also in station/managed mode. The results are often unusual.
Dedicate the interface to capture and then troubleshooting will be easier.
Hi Bob, if I try capturing from mon0 when the actual WLAN interface (wlp4s0) is down, I get no packets at all. I'm guessing that mon0 is just a ref to wlp4s0, so when it is down they are both down. So I guess the issue is to somehow set up a monitor mode interface that doesn't rely on wlp4s0 being up. Not sure how to do this as yet, I need to keep fiddling, but thanks for your help.
Using airmon-ng I have now created a new monitor mode interface (rather than using iw) called wlp4s0mon. This interface is the only interface attached to WLAN card (wlp4s0 no longer exists, confirmed by running 'ip link list'). airmon-ng reported that some processes may be interfering (wpa_supplicant, NetworkManager). These have now all been killed. Running wireshark on wlps40mon I get the same results, just mgmt/ctrl frames, and the occasional broadcast/multicast data frame.