First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

WLAN Capture only decrypting MDNS, ARP, etc

I am playing with Wireshark. I am trying to view an HTTP request to http://example.com/?q=foobar that I made from a device on my Wi-Fi network.

I inputted my SSID and WPA password to the 802.11 decryption dialog, and then I turned Wi-Fi off and on on my device so that I could capture an EAPOL packet and thus decrypt my session. Then, I navigated to http://example.com/?q=foobar.

When I use wlan.addr == AB:CD:EF:12:34:56 (my device's MAC address) as a display filter, I see a lot of packets with Protocol 802.11 and a relatively small number with ICMPv6, DHCP, ARP, MDNS, IGMPv2, and others. However, that's it. I do not see any TCP packets, let alone HTTP packets. http and tcp as display filters both return no results.

I know that I am getting the traffic from the correct device, as I see the device name buried in some of the MDNS packets.

Can someone help me find the missing HTTP packets?

pokkunakki1832120's avatar
1
pokkunakki1832120
asked 2022-05-19 11:42:55 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The likely issue is same as first part of this answer.

Bob Jones's avatar
1.5k
Bob Jones
answered 2022-05-19 12:52:25 +0000
edit flag offensive 0 remove flag delete link
more

Comments

So how can I capture 802.11ac traffic using my MacBook? Is it not possible?

Here are my system specs:
MacBook Pro 2019, 13-inch, four Thunderbolt 3 ports (model identifier MacBookPro15,2)
16 GB RAM
2.8 GHz Quad-Core Intel Core i7

pokkunakki1832120's avatar pokkunakki1832120 (2022-05-31 14:41:50 +0000) edit
more
  • delete

Is it not possible?

It depends. If you are trying to pickup 11ax traffic, then probably not. If you are trying to pick up something within the capture envelope of the Macbook, then maybe. Do you know the capabilities of the test traffic?

Are you on the right channel? Are you close enough to pick up the unicast traffic? Do you have a decryption problem, or do you have a packet capture problem? You are likely capturing in monitor mode since the wlan filter produces output. Sharing a capture file on a publicly accessible location of test traffic that can be reviewed will make it much easier to diagnose your issue.

Can you decrypt the sample files? https://wiki.wireshark.org/HowToDecry...

Bob Jones's avatar Bob Jones (2022-05-31 16:46:17 +0000) edit
more
  • delete

I am teaching myself about network protocol analysis and how to use Wireshark, so I do not want to inadvertently publish sensitive information from my network. Any suggestions?

For now, here is a screenshot of what I am seeing. The bulk of the traffic that I see in my capture looks something like that (with the exception of the MDNS, ARP, etc. packets, as described above).

pokkunakki1832120's avatar pokkunakki1832120 (2022-06-01 00:49:08 +0000) edit
more
  • delete

I understand the security concern. For sharing, you would want to either anonymize the information but in wireless decryption cases, you basically need to set up a complete separate test network that you scrap when done (i.e. don't use the SSIDs or keys anymore).

Now for the screenshot - I see CTS/RTS, some block ACK, but no unicast data frames. You don't provide much to go on, but what you do show is consistent with the linked answer: you are not picking up the highly modulated unicast data frames.

Why is this the case? There are multiple possible causes for this and they are described in that linked answer and also in comments here. Without more detailed information like a trace file, I can't really say exactly what your specific issue is. If it helps, you can share your trace privately with me; since the issue ... (more)

Bob Jones's avatar Bob Jones (2022-06-01 11:08:25 +0000) edit
more
  • delete

How should I share the capture file with you privately, @Bob Jones ?

pokkunakki1832120's avatar pokkunakki1832120 (2022-06-16 00:30:15 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer