Wireshark mailing list archives

Re: 802.11 monitoring help


From: Frank Barta <fbarta () gmail com>
Date: Wed, 17 Feb 2010 11:59:23 -0500

I've seen some similar output behavior in Wireshark for Windows. I've not
worked with the Linux version, so take these suggestions with a grain of
salt:

1. Try disabling decryption.
2. Try toggling the various settings for "Ignore the protection bit".
3. Try Toggling the setting for "Assume Packets have FCS".

You've likely already looked here, but in case you have not, there may be
information in here which can help you:
http://wiki.wireshark.org/CaptureSetup/WLAN .


On Wed, Feb 17, 2010 at 11:44 AM, Thomas Morton <
morton.thomas () googlemail com> wrote:

Hey all,

Im working on something that has hit a brick wall - so hopefully some
external help will point me in the right direction.

The premise is thus:

Im trying to monitor traffic on a wireless network. I have Wireshark
running on Backtrack Linux and a Ubiquiti wireless card (which supports
promiscuous mode).

I have joined the network ok and wireshark is up and sniffing the network
fine. It captures data from/to the local machine perfectly (as you would
expect).

The problem is when you introduce a new machine into the network. Wireshark
DOES capture all data to/from the new machine but it refuses to display most
of it in a recognizable format. Broadcast/Multicast stuff (like NBNS
packets) are displayed correctly showing both the source/destination IP
addresses and the packet contents.

But the problem is that stuff like HTTP traffic is just displayed as, I
think, the raw 802.11 packet - and nothing i can do will convince Wireshark
to decode that.

The packets are recognized as either LLC, SNA or (this last appears to be
the HTTP data) 0x05f8. The source/destination are displayed as MAC
addresses.

I have tried adding WPA decryption keys to Wireshark as well (just in
case...) with no joy.

Version is 1.0.3.

Any suggestions *very* gratefully accepted!

Tom




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread: