How to capture tcp/ip traffic in wireless connection with 802.11x frame format?

0

I'm using wireshark program to sniff my traffic. When i change mode of my network card from managed mode to monitor mode, i only see "beacon frames" and "RTS & CTS" packets in wireshark. Is there any way to sniff tcp/ip traffics with 802.11x frame format instead of ethernet in wireshark or something else?

Separately,

Is there any way to sniff tcp/ip traffics of my wireless card without changing to monitor mode? Because when i changed the mode of my wireless card to monitor mode, internet connection is down then i cannot connect any website. As a result, i cannot sniff my tcp/ip traffic using wireshark in wireless connection.

Thanks in advance.

Pioneerhfy

Posted 2017-08-27T15:07:09.270

Reputation: 85

Answers

1

In my experience, most wireless cards are not good at maintaining a working network connection while simultaneously doing 802.11 monitor mode packet capture. Usually when one tries to do both simultaneously on the same card, one doesn't end up seeing all the 802.11 packets one was supposed to see; especially 802.11 Acks the card firmware transmitted.

So I recommend against trying to do what you're doing.

If you want to capture all the 802.11 traffic between an AP and a client, set up a separate wireless sniffer machine halfway in between the two devices, and put it in full 802.11 monitor mode (disassociated from all networks, just tuned to the channel that the target AP and client are on). Make sure the sniffer machine's wireless card is capable of all the modulation and coding schemes that the target AP and client both support. For example, if the AP and client are both 3-stream 802.11ac supporting MCS 9x3, you need your sniffer to support 3-stream 802.11ac MCS 9x3 in order to see any traffic the AP or client transmits using that scheme. Even when you get the hardware right, beware that the very nature of MIMO spatial streams and beamforming means that any transmitted signal is so tailored to be perfect for the intended receiver, that there's no guarantee that it will be of sufficient quality for any eavesdropper/sniffer to receive in any other location.

If you do the independent sniffer setup I suggest, make sure your network either uses no security, or, if it's using WPA2-PSK, make sure to start the sniffer before the target client joins the AP. You need to capture the WPA2 key handshake and know the WPA2-PSK passphrase for the network in order to decrypt the traffic from the target client.

If you simply can't set up an independent sniffer, I suggest that you capture packets in normal Ethernet style if you think your problem is at the IP layer or above, and capture packets in "associated monitor mode" if you think the problem is at the 802.11 layer. However, again, you probably won't be able to fully diagnose 802.11 problems this way, as you probably won't see the Acks your client is sending. So there will be gaps in your knowledge of what happened over the air, that will make it hard to diagnose problems.

Spiff

Posted 2017-08-27T15:07:09.270

Reputation: 84 656

Asked: 2017-08-27T15:07:09.270

Viewed: 706 times

Active: 2017-08-28T18:16:06.773