First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Where are IP headers in Monitor mode capture?

Hi, I set my lone network interface of Mac_air to Promiscous and Monitor mode at the same time. I could surf Internet while network being in the above mode. But the traffic captures show most packets had the following header hierarchy: Data -> IEEE 802.11 -> 802.11 radio info -> Radiotap header -> Frame.

Where are IP and TCP headers gone?

Regards

Vindra's avatar
13
Vindra
asked 2018-02-12 11:13:00 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2018-10-26 17:42:52 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

They are all there but encrypted. For each client-AP "session" you want to decrypt, you need to know the passphrase and capture the four EAPOL packets. When you give this information to Wireshark in the right way, it will automatically decrypt those radio frames for which it has the necessary information and show you the IP and above layers dissected.

sindy's avatar
6.2k
sindy
answered 2018-02-12 13:27:59 +0000
edit flag offensive 0 remove flag delete link
more

Comments

And see the "How to decrypt 802.11" page on the Wireshark Wiki.

Guy Harris's avatar Guy Harris (2018-02-12 18:00:43 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer