First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

HTTP packet not showing in monitor mode (rtl8812au)

  • retag add tags

Hello there,

I'm trying to demonstrate the network sniffing of an HTTP connection.

I have a RTL8812AU (USB wireless adapter).

I set it to monitor mode, and I verified it IS applied when capturing packets.

I also set the WEP key and enabled the decryption, so Wireshark can decrypt the packets.

When capturing the traffic, I DO SEE the normal traffic going on (unencrypted). But it looks like not all HTTP traffic is correctly captured (I used another device, connected to the same access point to access http websites).

I see sometimes some HTTP packet, but most of them or .PNG/.GIF/Javascript/CSS files. I just have seen once a HTTP 200 OK in html. Most of the trafic is not showing up. And I did test different HTTP websites, with different devices, all connected to the access point.

My question is: how is it possible that only some HTTP packets get captured? I also installed the driver (realtek-rtl88xxau-dkms) on my Kali machine. Wireshark version and Kali version are the latest.

Any help would greatly be appreciated! Regards.

ScreenName's avatar
3
ScreenName
asked 2019-09-01 17:38:14 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The wifi adapter has to be able to pick up the test traffic; the performance envelope has to be as big, or bigger, than the test traffic when it comes to things like spacial streams, bandwidth, MCS Index, and other details like guard interval, LDPC encoding, and distance from the transmitter.

This really applies to the higher modulations (i.e. datarates) that data frames use (usually QoS Data) - control and management traffic is usually sent at low modulations so is easily picked up.

So why do see some, but not all? The transmit datarate is not fixed; there is a selection algorithm to choose the encoding and datarate of any given frame. It is usually up to the max, but the poorer the communications (say signal to noise ratio, etc) the lower the datarate. So I suspect the frames you do see are sent at non-maximum datarates. The rest are sent outside of the performance envelope of your capture system so you miss these frames. However, you probably still see the control frames associated with these, anyway, like ACKs/BlockACKs, CTS/RTS, etc.

The rtl8812 and 8814 USB chipsets seem to have a problem picking up frames sent with a bandwidth greater than 20MHz. Even though they seem to support it at the software level, I can't get either one to pick up 40 or 80MHz frames, though the 8814au tested will do 3SS and LDPC, but must be 20MHz. This could be a configuration issue but my other adapters work with the same setup, so perhaps you are seeing the same thing: the highest datarate frames are missed by the adapter. You should not have any 80MHz traffic on 2.4GHz, and even 40MHz is not good for any type of large, professional installation. You did not say what band you are working on.

To try and pick them all up, limit your bandwidth to 20MHz either at the AP or client side, as a start. Get closer to the transmitter, and have various capture adapters to test with.

Also, the industry moved away from WEP, I don't know, maybe 15 years ago? WEP can be cracked in minutes... I hope this is a test. If not, seriously, time to update long ago.

Funny, though, often APs need to use AES (through WPA2) and WMM to get maximum performance. So a real WEP selection would limit datarates making it much easier to pick up traffic. So something does not seem right - this conflicts with my explanation. But you have not provided enough information to definitely determine the full communications profile to know for sure what is wrong.

Bob Jones's avatar
1.5k
Bob Jones
answered 2019-09-02 00:18:50 +0000
edit flag offensive 0 remove flag delete link
more

Comments

That was a very useful and interesting answer! Big thanks to you.

I was working on 2.4Ghz, and yes WEP is only for the example.

I guess the wireless adaptor I use is probably "too cheap" to pick up higher frequencies frames... That would also mean that some pictures (or static content in general) are transmitted with lower frenquencies?

I'm not sure I can limit the bandwidth on my installation, but I guess I will go for another adapter (I have seen that the aircrack wiki doesn't even mention anywhere the chipset I'm using...).

Thank you again for your help and have a nice day.

ScreenName's avatar ScreenName (2019-09-02 07:53:17 +0000) edit
more
  • delete

As an additional question, how do I limit the bandwitdh at the client side (Kali)? Thank you.

ScreenName's avatar ScreenName (2019-09-02 22:15:03 +0000) edit
more
  • delete

If the client is Linux, you may have to use wpa_supplicant manually to force what you want. I don’t know if NetworkManager can do it. Look for disable_ht40 parameter in the config file. There are plenty of google references to using this by hand, only suggestion is to disable network manager first so it stops trying out to take control.

Bob Jones's avatar Bob Jones (2019-09-02 22:44:43 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer