Sniff local wifi network using Wireshark

0
votes

I was trying to sniff packets on my home wifi between other devices using aircrack-ng and Wireshark. My network card is broadcom 4313. According to my researches, it should be able to monitor the network. My OS is Lubuntu 15.10. It's a pretty fresh installation.

What I was exactly doing is:

  1. stop network manager service NetworkManager stop
  2. set wlan0 into monitor mode by airmon-ng wlan0 start > result is "monitor mode on mon0"
  3. airmon-ng wlan0 stop (I also tried it without this step, doesn't work either)
  4. start wireshark, enable monitor mode on mon0 and sniff traffic on mon0

My wlan is using a WPA2 password. This was entered in the according section in wireshark as wpa-pwd in the format password:ssid (clear text) and "enable decryption" is turned on.

But when I sniff now, I only see broadcast packages and "802.11" protocol.

What should I try next? Have I done something wrong?

1
wiresharksniffingaircrack-ng

1 Answers

4
votes

My wlan is using a WPA2 password.

Did you capture the EAPOL handshake, as the Wireshark Wiki's "how to decrypt 802.11" page says, in the "Gotchas" section, you have to do? As that section says:

WPA and WPA2 use keys derived from an EAPOL handshake, which occurs when a machine joins a Wi-Fi network, to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture.

If you don't have the handshake, Wireshark won't be able to decrypt the packets, and will therefore not be able to dissect them past the 802.11 layer, and will report them as "802.11" packets.