Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: Wireshark capture problems

  1. #1
    Member
    Join Date
    Jan 2010
    Location
    Helsinki, Finland
    Posts
    235

    Default Wireshark capture problems

    Hi,

    Im trying to capture my own home WLAN traffick.

    Im actually quite new whit linux, but im fast to learn.

    I have ALFA networks AWUS036H usb wlan adapter. And im using BT4 beta on VMWare workstation.

    I have managed to get my WLAN device to monitor mode, but I cant capture anything whit Wireshark.
    Actually I once got something, but just a few "GET-pacets."

    Iv been using Wireshark on Windows 7, so i know nearly how to use it.

    Yes, my network is WPA-PSK protected, but I know the passkey.
    And Iknow that Wireshark can decode traffic, but i havent got it working.

    PS. sorry for my bad english

  2. #2
    Just burned his ISO
    Join Date
    Aug 2009
    Posts
    12

    Default

    It is not necessary to set your card in monitor mode in order to capture your own packets (i.e. packets traveling from your wireless card to the AP). So set your card to "managed" mode and make sure your wpa key is properly placed in the wireshark preferences. (Edit--> preferences--> protocols--> IEEE 802.11)

  3. #3
    Member
    Join Date
    Jan 2010
    Location
    Helsinki, Finland
    Posts
    235

    Default

    How to set it to "Managed" mode, I did like this
    airmon-ng stop wlan0
    airmon-ng start wlan0
    and then I used mon0 for capturing etc.

    Should that wpa key NOT look like that.

    "wpa-psk:PASSWORD:AP"
    like this
    "wpa-psk:and that long serie of numbers and letters, made by this: xxx.wireshark.org/tools/wpa-psk.html"

    Ca I just capture that to a file whit Wireshark and view and decrypt my capture using Windows 7 and wireshark, Im usind BT4 on VMWare...

  4. #4
    Just burned his ISO
    Join Date
    Aug 2009
    Posts
    12

    Default

    I don't think you understand. You don't have to change anything to get your card in managed mode (it's default). Monitor mode is used for sniffing all the packets in the air. What I am suggesting is to try to sniff and decrypt your own traffic to get a better understanding, before you try to sniff traffic from your other machine.

    1. Fire up wireshark
    2. Edit "keys" in preferences (Hint: "Did you try "wpa-pwd:yourpassword"?)
    3. Start sniffing on the wlan0 device
    4. Open your browser, visit some sites etc.
    5. Watch your screen get filled by sniffed packets.
    6. Read more about wireless networks.

  5. #5
    Member
    Join Date
    Jan 2010
    Location
    Helsinki, Finland
    Posts
    235

    Default

    Whit Windows 7 and Connectifity Iv been able to capture a lot of information, and I think that I know how to use wireshark in Windows.

    I did that, but at fhirst time I saw wlan0 at wireshark. usually its been mon0, but for that i had to use airmon-ng start wlan0

    It seems that my capture is not decrypted.

    I started using aircrack-ng but then I found out that they think that kismet is more easy for beginners, so Im using it now, I think, that it creates a capture file somewere so I can use Windows and wireshark to read and decrypt all data. Windows 7 is much faster than BT4 on VMware.

    It there any way to see that data not decrypted, like joining to that WLAN? If , how to join WLAN, Iv been tying to use Networkmanager but it does nothing.

    I tried to use airdecap-ng to decrypt that file, it just todt that it have 3458 WPA of all 22000 packets. It did nothing for that file...

  6. #6
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by Jarmo View Post
    Whit Windows 7 a.
    Use the edit button and do not make multiple consecutive posts.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  7. #7
    Just burned his ISO
    Join Date
    Aug 2009
    Posts
    12

    Default

    It there any way to see that data not decrypted, like joining to that WLAN? If , how to join WLAN, Iv been tying to use Networkmanager but it does nothing.
    This is not very helpfull. "It does nothing" is not an usefull description of a problem. I suggest you google for "wpa supplicant" and learn how to setup a connection from the cli.

    I tried to use airdecap-ng to decrypt that file, it just todt that it have 3458 WPA of all 22000 packets. It did nothing for that file...
    Are you sure? I think you need to take a close look at the contents of your working directory, before and after you use airdecap.

  8. #8
    Member
    Join Date
    Jan 2010
    Location
    Helsinki, Finland
    Posts
    235

    Default

    Well it did create there a new file, but when I open it using Wireshark it says, no packets.

    Iv been using kismet, and it have captured plenty of packets, where it saves those. can I read these files using wireshark?

  9. #9
    Just burned his ISO
    Join Date
    Aug 2009
    Posts
    12

    Default

    Well it did create there a new file, but when I open it using Wireshark it says, no packets.
    Yes, thats because you didn't read enough about the usage of airdecap. There is something missing in your cap file. (Hint: It's also necessary to perform a dictionary attack)

  10. #10
    Member
    Join Date
    Jan 2010
    Location
    Helsinki, Finland
    Posts
    235

    Default

    Quote Originally Posted by jaapbaas View Post
    Yes, thats because you didn't read enough about the usage of airdecap. There is something missing in your cap file. (Hint: It's also necessary to perform a dictionary attack)
    I used it in Windows 7, using aircrack-ng QUI and I know everything abaut that WLAN settings, keys etc.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •