First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Only one SSID in Monitor Mode

My attempt to capture WiFi management frames on my mesh WiFi network continues. One router and two satellites with both primary and Guest networks. A total of 6 WiFi access points (2.4G and 5G on three units) broadcasting two SSID' on each (primary and Guest). Was expecting to capture about 5-10 beacon frames for each SSID, for each channel, and for each access point. A total of between 150 and 300 beacon frames per minute.

Wlanhelper on Windows 10 was not able to set the 5G WiFi adapter to monitor mode and the channel to 48, so I switched to Mint Linux 20.2 (based on Ubuntu), using two Panda PAU09 USB adapters. (I have posted in the Npcap forum and will be happy to give this a try again on Windows is someone on that forum has a suggestion.)

Am able to collect management frames from all six WiFi access points, but observe that there are beacon frames for only the primary SSID. Beacon frames for the guest SSID are not captured. The guest SSID is active. I can connect to it and get internet. Guest WiFi must be transmitting beacon frames.

My goal is to observe what happens to the mesh system when the router is rebooted or the entire system reboots (such as after a power failure). Surely I am not the first person to capture WiFi management frames with Wireshark. If someone could provide a hint, it would be really helpful.

CrimpOn's avatar
1
CrimpOn
asked 2021-11-13 07:10:20 +0000
edit flag offensive 0 remove flag close merge delete

Comments

There are multiple things that could be wrong but since there is no trace provided to review, we really can’t rule any of them out.

You may be using filters that are incorrect, or perhaps you have multi bssid enabled (https://www.intuitibits.com/2021/08/2...).

Bob Jones's avatar Bob Jones (2021-11-13 16:43:28 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Totally correct. Further examination shows that each access point is using different MAC addresses for the primary and guest WiFi channels. Amazing that you went straight to it.

In order to filter out misc. 'stuff', I have a capture filter defined which has now grown to include 12 MAC addresses. Is Wireshark able to have different capture filters on each WiFi adapter?

And thank you again for responding.

CrimpOn's avatar
1
CrimpOn
answered 2021-11-13 21:16:23 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Check the -f option on the Wireshark man page or The “Capture Options” Dialog Box in the Gui.

Chuckc's avatar Chuckc (2021-11-13 23:48:01 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer