THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Cannot capture or decrypt some protocols in monitor mode with wireshark

First off I put my network adapter into monitor mode and captured a handshake. From edit>preferences>protocols>IEEE 802.11, I added my decryption keys properly and started sniffing the traffic. The problem is that I can decrypt ARP and some UDP traffic along with some other protocols I'm not familiar with. But I dont see any DNS, HTTP or TCP packets when I apply the necessary filters. I googled around a bit on that and found that it might be possible that I'm not even able to capture TCP and DNS packets at all.

The problem is either I cant decrypt the tcp packets (which I dont think is the case since I can decrypt other protocols), or I cant even receive any tcp traffic. Does anyone have an idea as to how to solve this issue. If it's that I cant even capture these packets, how can I fix it? Thank you in advance.

ck07's avatar
3
ck07
asked 2022-01-02 22:58:11 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Likely you are able to capture and decrypt low modulation frames, such as group traffic, I.e. multicast and broadcast, from the AP. However, highly modulated unicast traffic with high data rates, you are missing. Proximity to test traffic can have an impact, too.

Solution is either to get a capture system that can pick up all the traffic or reduce the capability of the WiFi system so that the capture system can pick it up.

There are many examples of this on this site, for example, see

https://ask.wireshark.org/question/20865/80211-only-partially-decrypted/#20876

Bob Jones's avatar
1.5k
Bob Jones
answered 2022-01-02 23:17:38 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you so much. That explains it really well. I guess I need to buy another card that supports 802.11ac right?

ck07's avatar ck07 (2022-01-03 00:25:40 +0000) edit
more
  • delete

Likely, yes.

Bob Jones's avatar Bob Jones (2022-01-03 00:38:41 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer