I'm posting this in the experts section because I have pretty much exhausted every link I have found on google regarding this topic, and I'd like some of the most experienced eyes on the problem, because something obscure must be going on.
Systems tested on
VirtualBox 4.1.22 VM: Ubuntu 12.10 x64
VirtualBox 4.1.22 VM: Ubuntu 10.04 x64
VirtualBox 4.1.22 VM: Backtrack 5 r2
VirtualBox 4.1.22 VM: Backtrack 5 r3
Lenovo W530 laptop running Backtrack 5 r2
Alfa AWUS036H - FCC ID UQ2AWUS036H (you can verify RTL8187L chipset at http://transition.fcc.gov/oet/ea/fccid/ Enter grantee code: UQ2, product code: AWUS036H, then clicking "detail" and then "internal photos").
The problem is that while I'm running wlan0 in monitor mode, I only see broadcast packets (I see ARPs, DHCP transactions, beacons, and other random management and data packets that are being broadcast or multicast). This is the case in kismet, wireshark 1.2.x, 1.4.x, and 1.8.x, and my own packet reader program that uses libpcap. The clients that I have set up running pings and http traffic are connected to an open wireless g network. The computer I am sniffing from is not connected to any network.
I have tested more configurations than I can list, but I'll try to give a good idea of what I've done.
The USB wireless card I listed (Alfa AWUS036H) is using the rtl8187 driver. Relevant commands and their outputs are listed below:
Bus 001 Device 009: ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
Bus 001 Device 007: ID 80ee:0021
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
I've made sure the wireless card is on channel 6, the same channel my open network is on. I have tried both putting wlan0 into monitor mode manually using:
# lsmod|grep 80211
mac80211 238928 1 rtl8187
cfg80211 148725 2 rtl8187,mac80211
And also using airmon-ng to create a mon0 device:
# ifconfig wlan0 down
# iwconfig wlan0 mode monitor
# iwconfig wlan0 channel 6
# ifconfig wlan0 up
When using iwconfig, I can verify wlan0 is in monitor mode:
# airmon-ng start wlan0 6
Interface Chipset Driver
wlan0 RTL8187 rtl8187 - [phy5]
(monitor mode enabled on mon0)
When I use iwconfig to put the card into monitor mode manually, I use the interface wlan0 in wireshark and kismet. When using airmon-ng to create a mon0 interface that is in monitor mode, I use mon0.
wlan0 IEEE 802.11bg Mode:Monitor Frequency:2.437 GHz Tx-Power=27 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
In both cases, I get the same result: kismet and wireshark will see all the broadcast packets from the APs around me, but never any ICMP or HTTP traffic I'm creating from other clients in order to test.
I am not associated or authenticated to any AP. I did this a few months ago at a workshop and it worked great; we saw tons of HTTP traffic flying around.
For most of the same type of questions asked here, the problem had to do with them being associated to a network or that they were on an encrypted network and weren't entering the key properly. I cannot find any issue with the setup or the device. Any ideas? Thanks for any help.