Why isn't Wireshark showing high layer packets like ICMP/IP/UDP? (Only broadcast packets are shown)
I am using Wireshark for 802.11g sniffing. The AP is not using any encryption. These are my observations:
- The vast majority packets are beacons and the probe requests.
- If I filter out beacons using the filter
!(wlan.fc.type_subtype==0x08)
, I can see some ARP, ICMPv6, IGMPv3 and DHCP packets. These packets mostly came when a fresh connection is made from a station to an AP. - When I do Ping or telnet, I cannot see any Data packets, even when the Ping/telnet operations are clearly going on and successful.
- Basically, Only broadcast packets get displayed. (One exception is some packets are shown with Destination Address being Cisco_00:00:00/01:0b:85:00:00:00).
Does anybody know what went wrong?
My Wireshark version is 1.8.2. I am using a Ubuntu 12.10 and a USB wireless adaptor Belkin F5D7050. I have put the WLAN interface to monitor mode with airmon-ng start wlan1
.
(Update: It looks like a driver or hardware issue. There are some similar discussions like here.)
networking wireless-networking security ping wireshark
add a comment |
I am using Wireshark for 802.11g sniffing. The AP is not using any encryption. These are my observations:
- The vast majority packets are beacons and the probe requests.
- If I filter out beacons using the filter
!(wlan.fc.type_subtype==0x08)
, I can see some ARP, ICMPv6, IGMPv3 and DHCP packets. These packets mostly came when a fresh connection is made from a station to an AP. - When I do Ping or telnet, I cannot see any Data packets, even when the Ping/telnet operations are clearly going on and successful.
- Basically, Only broadcast packets get displayed. (One exception is some packets are shown with Destination Address being Cisco_00:00:00/01:0b:85:00:00:00).
Does anybody know what went wrong?
My Wireshark version is 1.8.2. I am using a Ubuntu 12.10 and a USB wireless adaptor Belkin F5D7050. I have put the WLAN interface to monitor mode with airmon-ng start wlan1
.
(Update: It looks like a driver or hardware issue. There are some similar discussions like here.)
networking wireless-networking security ping wireshark
Did you run Wireshark onwlan1
ormon0
? Only the latter is a monitor interface.
– grawity
Apr 29 '13 at 19:34
It'smon0
. wlan1 is not even shown in the Wireshark Capture Interfaces dialog.
– Penghe Geng
Apr 29 '13 at 19:40
add a comment |
I am using Wireshark for 802.11g sniffing. The AP is not using any encryption. These are my observations:
- The vast majority packets are beacons and the probe requests.
- If I filter out beacons using the filter
!(wlan.fc.type_subtype==0x08)
, I can see some ARP, ICMPv6, IGMPv3 and DHCP packets. These packets mostly came when a fresh connection is made from a station to an AP. - When I do Ping or telnet, I cannot see any Data packets, even when the Ping/telnet operations are clearly going on and successful.
- Basically, Only broadcast packets get displayed. (One exception is some packets are shown with Destination Address being Cisco_00:00:00/01:0b:85:00:00:00).
Does anybody know what went wrong?
My Wireshark version is 1.8.2. I am using a Ubuntu 12.10 and a USB wireless adaptor Belkin F5D7050. I have put the WLAN interface to monitor mode with airmon-ng start wlan1
.
(Update: It looks like a driver or hardware issue. There are some similar discussions like here.)
networking wireless-networking security ping wireshark
I am using Wireshark for 802.11g sniffing. The AP is not using any encryption. These are my observations:
- The vast majority packets are beacons and the probe requests.
- If I filter out beacons using the filter
!(wlan.fc.type_subtype==0x08)
, I can see some ARP, ICMPv6, IGMPv3 and DHCP packets. These packets mostly came when a fresh connection is made from a station to an AP. - When I do Ping or telnet, I cannot see any Data packets, even when the Ping/telnet operations are clearly going on and successful.
- Basically, Only broadcast packets get displayed. (One exception is some packets are shown with Destination Address being Cisco_00:00:00/01:0b:85:00:00:00).
Does anybody know what went wrong?
My Wireshark version is 1.8.2. I am using a Ubuntu 12.10 and a USB wireless adaptor Belkin F5D7050. I have put the WLAN interface to monitor mode with airmon-ng start wlan1
.
(Update: It looks like a driver or hardware issue. There are some similar discussions like here.)
networking wireless-networking security ping wireshark
networking wireless-networking security ping wireshark
edited Feb 7 at 23:32
grooveplex
1055
1055
asked Apr 29 '13 at 19:22
Penghe GengPenghe Geng
15929
15929
Did you run Wireshark onwlan1
ormon0
? Only the latter is a monitor interface.
– grawity
Apr 29 '13 at 19:34
It'smon0
. wlan1 is not even shown in the Wireshark Capture Interfaces dialog.
– Penghe Geng
Apr 29 '13 at 19:40
add a comment |
Did you run Wireshark onwlan1
ormon0
? Only the latter is a monitor interface.
– grawity
Apr 29 '13 at 19:34
It'smon0
. wlan1 is not even shown in the Wireshark Capture Interfaces dialog.
– Penghe Geng
Apr 29 '13 at 19:40
Did you run Wireshark on
wlan1
or mon0
? Only the latter is a monitor interface.– grawity
Apr 29 '13 at 19:34
Did you run Wireshark on
wlan1
or mon0
? Only the latter is a monitor interface.– grawity
Apr 29 '13 at 19:34
It's
mon0
. wlan1 is not even shown in the Wireshark Capture Interfaces dialog.– Penghe Geng
Apr 29 '13 at 19:40
It's
mon0
. wlan1 is not even shown in the Wireshark Capture Interfaces dialog.– Penghe Geng
Apr 29 '13 at 19:40
add a comment |
1 Answer
1
active
oldest
votes
You're probably capturing on a "protected" network, i.e. one using WEP or WPA/WPA2 encryption, and Wireshark can only dissect the payload of those frames if it has enough information to decrypt them. The "How to Decrypt 802.11" page of the Wireshark Wiki explains this in detail.
1
No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.
– Penghe Geng
Apr 29 '13 at 19:33
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f589342%2fwhy-isnt-wireshark-showing-high-layer-packets-like-icmp-ip-udp-only-broadcast%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You're probably capturing on a "protected" network, i.e. one using WEP or WPA/WPA2 encryption, and Wireshark can only dissect the payload of those frames if it has enough information to decrypt them. The "How to Decrypt 802.11" page of the Wireshark Wiki explains this in detail.
1
No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.
– Penghe Geng
Apr 29 '13 at 19:33
add a comment |
You're probably capturing on a "protected" network, i.e. one using WEP or WPA/WPA2 encryption, and Wireshark can only dissect the payload of those frames if it has enough information to decrypt them. The "How to Decrypt 802.11" page of the Wireshark Wiki explains this in detail.
1
No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.
– Penghe Geng
Apr 29 '13 at 19:33
add a comment |
You're probably capturing on a "protected" network, i.e. one using WEP or WPA/WPA2 encryption, and Wireshark can only dissect the payload of those frames if it has enough information to decrypt them. The "How to Decrypt 802.11" page of the Wireshark Wiki explains this in detail.
You're probably capturing on a "protected" network, i.e. one using WEP or WPA/WPA2 encryption, and Wireshark can only dissect the payload of those frames if it has enough information to decrypt them. The "How to Decrypt 802.11" page of the Wireshark Wiki explains this in detail.
answered Apr 29 '13 at 19:30
user164970
1
No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.
– Penghe Geng
Apr 29 '13 at 19:33
add a comment |
1
No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.
– Penghe Geng
Apr 29 '13 at 19:33
1
1
No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.
– Penghe Geng
Apr 29 '13 at 19:33
No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.
– Penghe Geng
Apr 29 '13 at 19:33
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f589342%2fwhy-isnt-wireshark-showing-high-layer-packets-like-icmp-ip-udp-only-broadcast%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Did you run Wireshark on
wlan1
ormon0
? Only the latter is a monitor interface.– grawity
Apr 29 '13 at 19:34
It's
mon0
. wlan1 is not even shown in the Wireshark Capture Interfaces dialog.– Penghe Geng
Apr 29 '13 at 19:40