Why does airodump-ng shows 2.4GHz AP beacons, but wireshark does not?

Question

I'm debugging some edits I made to hostapd which requires me to capture some beacon frames, but I can only capture them with airodump-ng and not with wireshark.

I have a Panda PAU09 adapter running on Kali.

Method #1:

I fire up airmon-ng and put the Panda into monitor mode. Next I run airodump-ng to find the BSSID and channel of my system running hostapd. Then I run airodump-ng again to capture to a file. I open the CAP file in Wireshark, and there are my beacons. COOL! Exactly what I needed!

Method #2:

I put the interface into monitor mode and start Wireshark on that monitor interface. I set the filter to just look for beacons and see tons of them... but none from my AP. I remove the filter and see no traffic at all from the MAC. I even log into the hostAP system to verify the MAC and it is correct. No traffic from that device at all in wireshark, but plenty with airodump.

I'd really like to just use Wireshark.

Thoughts on how to debug?

Thanks.

Answer 1

airodump-ng will hop channels unless given a specific channel with the -c flag, whereas Wireshark is going to capture wireless traffic on whatever channel the interface is on, and does not dynamically adjust the channel. If there are other processes running on your system that manipulate the wireless card (e.g. scanning for networks), the channel may be changing unexpectedly. Or, it is likely not hopping channels, but is currently on the wrong channel.

You can manually set the channel by opening the "Wireless Toolbar" under the "View" menu in Wireshark, or using the iw utility:

# iw dev <interface> set channel <channel>

If you desire channel hopping, you could put the above command in a script that cycles through all available channels.

If you have the aircrack-ng suite installed, the airodump-ng command can tell you what processes may be using your wireless card so that you can kill them.