Results 1 to 3 of 3

Thread: Capture WLAN-traffic using Wireshark

  1. #1
    Just burned his ISO
    Join Date
    Aug 2011
    Posts
    6

    Default Capture WLAN-traffic using Wireshark

    I'm trying to understand how to capture traffic on my WLAN(WPA2) using Wireshark.
    I can see all traffic going to and from my Backtrack-PC and Wireshark is able to decrypt it (using the WPA-password and the four EAPOL Key msg), but I can't see any traffic going from other clients on the network.
    If I deauth a client from my BT-PC I only get two EAPOL Key msg, 1/4 and 3/4, it's missing key 2/4 and 4/4.
    Why is that?

    I've tried different approaches listening on both wlan0 and mon0 but no luck.
    It seems to me that Wireshark can only capture the WPA-handshake going from the client to the AP and not vice versa.
    I can't get any data-traffic (like http) from my clients.

    Am I doing something wrong here or is it just impossible to capture traffic on WLAN encrypted with WPA2?

    This is my config,
    BackTrack 5 R1 running on a PC with a Alfa AWUS036H (The computer running Wireshark).
    AP is a ASUS RT-N56U.
    Clients: one Laptop running BackTrack 5 R1 and one Android-Phone.

    BT-tools used,
    Wireshark (sniffer)
    airmon-ng (to swith wlan0 into monitor mode)
    aireplay-ng (to deauth)

  2. #2
    Just burned his ISO
    Join Date
    Aug 2011
    Posts
    6

    Default Re: Capture WLAN-traffic using Wireshark

    I've just upgraded Wireshark to version 1.8.1 and now I occasionally get all four EAPOL packets when a client connects to the AP, but I still can't see any data traffic coming from the client in Wireshark.
    If I fire up a webbrowser and starts surfing on the client all Wireshark get is "Request-to-send" and "802.11 Block Ack".

    Do I have to use ARP-spoofing or DNS-spoofing to monitor wireless communication from other clients?
    Last edited by krister67; 08-20-2012 at 02:46 AM.

  3. #3
    Just burned his ISO
    Join Date
    Aug 2011
    Posts
    6

    Default Re: Capture WLAN-traffic using Wireshark

    Quote Originally Posted by krister67 View Post
    I've just upgraded Wireshark to version 1.8.1 and now I occasionally get all four EAPOL packets when a client connects to the AP, but I still can't see any data traffic coming from the client in Wireshark.
    If I fire up a webbrowser and starts surfing on the client all Wireshark get is "Request-to-send" and "802.11 Block Ack".

    Do I have to use ARP-spoofing or DNS-spoofing to monitor wireless communication from other clients?
    My bad!
    My AP was set to 802.11n which the Alfa AWUS036H cannot handle.
    Switched the AP to 802.11g and the packets from my clients was just flying in.....

Similar Threads

  1. Can't capture packets in Wireshark
    By Lucian in forum BackTrack 5 General Topics
    Replies: 0
    Last Post: 10-10-2011, 01:31 PM
  2. Wireshark traffic
    By amithiel in forum Beginners Forum
    Replies: 5
    Last Post: 02-09-2011, 03:12 AM
  3. Wireshark capture problems
    By halfdone in forum OLD Newbie Area
    Replies: 27
    Last Post: 12-31-2009, 03:52 PM
  4. Can't capture TCP with Wireshark
    By johnthethird in forum OLD Newbie Area
    Replies: 1
    Last Post: 06-03-2009, 03:20 AM
  5. capture and forwarding traffic from victim
    By Abadon in forum OLD Newbie Area
    Replies: 1
    Last Post: 05-17-2007, 02:03 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •