Atheros AR9285 Not Sniffing Data Frames
I recently purchased a new laptop with an Atheros AR9285 802.11b/g/n wireless card. I'm having a bit of trouble getting monitor mode / promiscuous mode working in wireshark.
First, I checked that it should be supported. I'm fairly certain monitor mode should work with this card using the ath9k driver.
Here are steps I have taken and results:
/usr/bin/start-network <- start it so I can use wicd
WICD - can connect to network no problem, using WPA
In wireshark, I can see a couple of things.
1. I can view a ton of management / beacon frames. Not really interested in these.
2. I can view traffic from local PC when connected to my network
3. I cannot view other traffic, even though I have promiscous mode checked in Wireshark.
I tried manually setting the card to monitor mode
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
iwconfig <- shows it is indeed in monitor mode
With it manually set, Wicd manager does not show anything, so I cannot connect to my own network. In wireshark (prom. mode still set)
1. Can see plenty of beacon frames still.
2. Cannot view my local PC traffic, obviously, as I am not connected to a network and cannot generate any.
3. Still cannot view any other traffic from other PCs. (Yes, I have another laptop and am generating traffic, so I know it exists)
Next, I thought it must be a driver issue, although I don't think any of the following changed anything (up until now, using default BackTrack 4 Final drivers - is it using ath9k ? Seems like it was). So, I proceeded to install latest driver...
1. downloaded driver compat-wireless.2.6.tar.bz2
2. extracted, make, make install
3. make unload (unload current modules, BT4 shows ath9k unloaded, so I assume it used that by default so reinstalling probably didn't do anything)
4. modprobe ath9k (start up ath9k module, which should work for AR9285)
After doing that, nothing changed. Same results as before. Does anyone have any ideas for my next step? ath9k says all supported devices (which should include AR9285) should work in monitor mode, but it just isn't working for me. I'm able to put it into monitor mode, and Wireshark doesn't complain (in Windows, Wireshark tells me it failed to put device in promiscuous mode), but I just don't see the results...
I've done some more experiments, but still haven't figured it out yet. I learned that if I use airmon-ng to set up mon0 for monitor mode instead of iwconfig then I seem to see a lot more packets across the network, but I am still not seeing any data packets. Everything is all management frames. I see ACKs, RTS/CTS, etc. but not the data packets.
I checked the options, and I definitely do not see anything in Wireshark set to only display management frames. If I use the capture filter "port 80" and browse the net I still don't see anything (the management frames do go away, however).
have you tried the madwifi drivers? I think they are for Atheros chipsets.
Yeah, use airmon-ng. iwconfig won't completely set up your card in monitor mode. The name of the mon interface might not be mon0 especially using an atheros based card. If the wifi is encrypted using WEP or WPA, consider using an airtun-ng interface to decrypt on the fly. Or don't forget to decrypt the .cap file before having it filtered.
@hellonewman - isn't the ath9k driver a madwifi driver? I'm pretty new to these drivers, but from what I found, it seems like there is madwifi, ath5k, and ath9k where ath5k and ath9k are newer versions. on madwifi-project.org, it states ath9k is for all 802.11n atheros chipsets (which is what I am using). Perhaps I will try the one specifically named madwifi and see what happens.
@LCF - using airmon-ng seems like the easiest method anyways. I'm pretty sure it is setting mon0, since that is the interface that appears after running airmon-ng start wlan0. I'm also able to hear frames on mon0 when listening in Wireshark. It's just so strange, because the card hears everything except data frames on the network. I can see all management frames such as beacon probes, ACKs, etc. Just not the data frames. Maybe trying madwifi instead of ath9k will solve the problem.
As for decryption, even without trying to decrypt them, will they still show up in wireshark (simply encrypted)? I'm pretty sure I've ran Wireshark in the past on my old machine and was able to capture stuff. Then again, I was running it from Windows in promiscuous mode instead of monitor mode, so I only heard traffic on the network I was connected to.
Anyways, is decryption required for them to show up at all, or should they still be captured but simply encrypted?
If you are running an interface using monitor mode, you have to decrypt the packets. That seems quite obvious...
You might have used promiscuous mode in the past, not monitor mode.