Wireshark only captures packets to or from this device

I use wireshark on ubuntu 14.04 and I am trying to sniff wifi traffic of other devices in my network. I run wireshark or tshark on wlan0, start capturing packets and send some pings or open some pages on my phone, but my ubuntu laptop doesn't capture that - it only sees packages from its own ip to other ip addresses, from other ip addresses to its own ip, and broadcast packets.

Manually turning on promiscuous mode for wlan0 using sudo ip link set wlan0 promisc on doesn't help.

It looks like my wifi adapter is able to use both promiscuous mode and monitor mode because I can do sudo airmon-ng start wlan0 and a new mon0 interface will appear and I can capture its packages with wireshark, however that's not what I need. Those packages on mon0 are all of protocol 802.11 and not tcp, icmp, etc. as on wlan0.

Update

I decided to eliminate the possibility that it's ubuntu's NetworkManager or some other stuff interfering with wireshark, so I tried kali linux.

Here are the exact steps I use:

Load kali linux
Connect to my home network using gnome wireless networks widget thing.
Run wireshark, press Capture Options, check wlan0, check that Prom. Mode is enabled and Mon. Mode is disabled, leave everything else on default
Press Start
Ping the ip address of my kali linux laptop from my phone
Notice that I can see ICMP packets from my phone's IP address to my kali laptop IP and vice-versa
Ping 8.8.8.8 from my phone
Notice that I can't see any packets from my phone's IP to anywhere but I can see packets of LLC protocol from "Netgear_d9:19:e8" (that's my router I guess) to "SamsungE_2d:ad:da" (that's my phone I guess)

wireshark

CrabMan

Posted 2015-03-16T21:20:39.703

Reputation: 168

802.11 just specifies that you're using an Over-the-air (WLAN) interface between clients. It will still be using TCP, ICMP, etc, as apposed to regular Ethernet cabling. What wireless chipset/wifi card are you using? – None – 2015-03-16T21:58:48.353

@JayHolister Network controller [0280]: Intel Corporation Centrino Advanced-N 6235 [8086:088e] (rev 24) – CrabMan – 2015-03-16T22:03:23.950

@JayHolister Are you asking if I am on the network I want to sniff packages on? Yes, I am. It's my home wifi network with encryption. Can the encryption be the problem? – CrabMan – 2015-03-16T22:12:51.807

Your wireless encryption shouldn't prevent you from capturing packets. Please describe in detail (in your above question) what steps you took to capture packets. – None – 2015-03-16T22:23:40.470

@JayHolister ok, I did that – CrabMan – 2015-03-16T23:27:13.157

Your laptop only sees traffic that is being sent between the laptop and your wireless access point. To capture all traffic going through the router you must either be capturing on the router, or somehow force the packets to your PC from your router. – RoraΖ – 2015-03-17T11:46:19.403

Answers

I believe you could solve your problem with airmon-ng (this should be installed by default on Kali).

Answer provided by Kurt Knochner on ask.wireshark.org Source

ifconfig -a

Do you see a wlan0 or wlan1 interface?

If no, your wireless card is not recognized by your kernel and there is nothing Wireshark can do about it. Stop here and ask the the people in the user forum of your Linux distribution (Ubuntu, Fedora, etc.) how to add a working driver for your wireless card.

If you do see wlan0/1, proceed with

sudo airmon-ng start wlan0

sudo airmon-ng start wlan1

depending on which wireless interface you want to capture. That command should report the following message:

monitor mode enabled on mon0

Now, capture on mon0 with tcpdump and/or dumpcap.

sudo tcpdump -ni mon0 -w /var/tmp/wlan.pcap

sudo dumpcap -ni mon0 -w /var/tmp/wlan.pcap

Then open that file with Wireshark

wireshark -nr /var/tmp/wlan.pcap

Jay Holister

Posted 2015-03-16T21:20:39.703

Reputation: 123

"Now, capture on mon0 with tcpdump and/or dumpcap." Or Wireshark. In any case, you'll need to decrypt the traffic. – None – 2015-03-17T04:25:49.697

Promiscuous mode rarely, if ever, does what you want on Wi-Fi devices; you'll have to capture in monitor mode. (No, there is no workaround here.)

Those packages on mon0 are all of protocol 802.11

That's because you're on an protected network, using WEP or WPA/WPA2 encryption. You will have to provide Wireshark with the password for the network and, for networks using WPA/WPA2 (which most protected networks do), you will have to, for each of the devices whose traffic you want to decrypt, force them to disconnect from the network and reconnect to the network after you start capturing, so you capture the initial EAPOL handshake. For a phone or tablet, turning them off and on again should suffice; for a laptop, closing the lid and reopening it should suffice. (You want to put them to sleep and have them wake up again.)

See the Wireshark wiki's "How to decrypt 802.11" page for details.

user164970

Posted 2015-03-16T21:20:39.703

Reputation: