Re: 802.11 monitoring help

[Thomas Morton <morton.thomas () googlemail com>]

hey Frank,

> 1. Try disabling decryption.

After emailing the list that was what I tried next. This works: it picks up
TCP traffic and seems to recognise the HTTP requests (though
it doesn't present it in quite the right way, need to test that).

The problem is I have to get this working with encryption (the monitor is
going to sit on a network people will be using for a few months).

> 2. Try toggling the various settings for "Ignore the protection bit".
> 3. Try Toggling the setting for "Assume Packets have FCS".

I'll give these a shot tomorrow, thanks for the suggestion!

Tom

On 17 February 2010 16:59, Frank Barta <fbarta () gmail com> wrote:

> I've seen some similar output behavior in Wireshark for Windows. I've not
> worked with the Linux version, so take these suggestions with a grain of
> salt:
>
> 1. Try disabling decryption.
> 2. Try toggling the various settings for "Ignore the protection bit".
> 3. Try Toggling the setting for "Assume Packets have FCS".
>
> You've likely already looked here, but in case you have not, there may be
> information in here which can help you:
> http://wiki.wireshark.org/CaptureSetup/WLAN .
>
>
> On Wed, Feb 17, 2010 at 11:44 AM, Thomas Morton <
> morton.thomas () googlemail com> wrote:
>
> > Hey all,
> >
> > Im working on something that has hit a brick wall - so hopefully some
> > external help will point me in the right direction.
> >
> > The premise is thus:
> >
> > Im trying to monitor traffic on a wireless network. I have Wireshark
> > running on Backtrack Linux and a Ubiquiti wireless card (which supports
> > promiscuous mode).
> >
> > I have joined the network ok and wireshark is up and sniffing the network
> > fine. It captures data from/to the local machine perfectly (as you would
> > expect).
> >
> > The problem is when you introduce a new machine into the network.
> > Wireshark DOES capture all data to/from the new machine but it refuses to
> > display most of it in a recognizable format. Broadcast/Multicast stuff (like
> > NBNS packets) are displayed correctly showing both the source/destination IP
> > addresses and the packet contents.
> >
> > But the problem is that stuff like HTTP traffic is just displayed as, I
> > think, the raw 802.11 packet - and nothing i can do will convince Wireshark
> > to decode that.
> >
> > The packets are recognized as either LLC, SNA or (this last appears to be
> > the HTTP data) 0x05f8. The source/destination are displayed as MAC
> > addresses.
> >
> > I have tried adding WPA decryption keys to Wireshark as well (just in
> > case...) with no joy.
> >
> > Version is 1.0.3.
> >
> > Any suggestions *very* gratefully accepted!
> >
> > Tom
> >
> >
> >
> >
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org
> > ?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe