Why network card in monitor mode cannot see everything?

3

I was hoping that when I put my wireless network card in monitor mode, I will be able to sniff everything in my WLAN. But I was surprised to see that I can only sniff prob requests from other devices connected to the same AP as my laptop. Even though I have disabled any sort of encryption. Even when I disconnect and reconnect my android, I cannot see the association request.

Does this has to do with channels and frequencies??

user304202

Posted 2014-03-17T18:54:04.667

Reputation: 35

You might also want to look here: https://osqa-ask.wireshark.org/questions/54433/why-cant-i-capture-data-packets-in-monitor-mode

– Pierz – 2018-02-06T10:39:49.163

It has to do with the AP acting as a switch.

– Ƭᴇcʜιᴇ007 – 2014-03-17T19:01:51.470

what dose that mean?? – user304202 – 2014-03-18T12:44:03.360

The AP is acting like a switch does, in that it's controlling traffic between the wired and wireless sides which prevents your traffic sniffer from seeing other traffic. For more info, read the link I provided. – Ƭᴇcʜιᴇ007 – 2014-03-18T14:23:20.067

Answers

2

Here are some of the top reasons why an 802.11 Monitor Mode interface might not see all traffic you might expect it to see:

  1. It's not on the same channel as the target traffic. If you know what AP the target device is on (or is going to try to join) see what channel that AP is on, and tune your sniffer's radio to that channel.
  2. It's not on the right channel width setting. Let's say you set it for channel 36 with a channel width of 20MHz, but your target devices are making use of 40MHz channel widths.
  3. It's only looking at its own BSS. If you try to do a monitor mode capture on a wireless interface that's associated to an AP, the card may still be filtering on the BSSID, rather than showing you all transmissions on that channel. It's best to disassociate your card from the AP before putting it into monitor mode.
  4. It's not in promiscuous mode. Promiscuous mode (show me everyone's traffic, not just my own) can be orthogonal to Monitor mode (show me the 802.11 headers and 802.11-specific frame types). Make sure you've also selected promiscuous mode.
  5. The sniffer machine's radio doesn't support the exact flavor of 802.11 that the target devices are using. For example, if the target devices are using 3-spatial-stream data rates, and the sniffer's card only has support for 2 spatial streams. Besides spacial streams, some other common factors are channel widths, and short vs. long guard intervals. And of course, a/b/g/n/ac.
  6. The sniffer machine is not in range of the target wireless devices, or there's too much interference, so the sniffer machine's radio can't successfully demodulate the transmissions. Note that the increasing use of beamforming helps devices steer their RF energy right to where the intended receiver is, which means less of that energy goes to where the sniffer machine is, meaning the sniffer will get a worse signal:noise ratio, and less likelihood of demodulating packets sent at the highest data rates.
  7. The sniffer machine is throwing away frames it can't decrypt. Check your filters, and if you've set up encryption keys in the sniffer, check your keys and key-related settings.
  8. Other sniffer filter problems; make sure you've cleared all filters.

Spiff

Posted 2014-03-17T18:54:04.667

Reputation: 84 656

0

I successfully sniffed traffic on Kali Linux on a old MacBook Pro, but had issues with a newer Android Tablet. Turns out I had to put my access point in Legacy Mode, so I could force the tablet not to use High Throughput (HT).
More specifically, my network card could only see traffic sent slower than 54Mbps.

ExchangeIdeas

Posted 2014-03-17T18:54:04.667

Reputation: 11

Asked: 2014-03-17T18:54:04.667

Viewed: 1 833 times

Active: 2017-05-03T21:04:51.017