Why isn't Wireshark showing high layer packets like ICMP/IP/UDP? (Only broadcast packets are shown)












1















I am using Wireshark for 802.11g sniffing. The AP is not using any encryption. These are my observations:




  1. The vast majority packets are beacons and the probe requests.

  2. If I filter out beacons using the filter !(wlan.fc.type_subtype==0x08), I can see some ARP, ICMPv6, IGMPv3 and DHCP packets. These packets mostly came when a fresh connection is made from a station to an AP.

  3. When I do Ping or telnet, I cannot see any Data packets, even when the Ping/telnet operations are clearly going on and successful.

  4. Basically, Only broadcast packets get displayed. (One exception is some packets are shown with Destination Address being Cisco_00:00:00/01:0b:85:00:00:00).


Does anybody know what went wrong?



My Wireshark version is 1.8.2. I am using a Ubuntu 12.10 and a USB wireless adaptor Belkin F5D7050. I have put the WLAN interface to monitor mode with airmon-ng start wlan1.



(Update: It looks like a driver or hardware issue. There are some similar discussions like here.)










share|improve this question

























  • Did you run Wireshark on wlan1 or mon0? Only the latter is a monitor interface.

    – grawity
    Apr 29 '13 at 19:34











  • It's mon0. wlan1 is not even shown in the Wireshark Capture Interfaces dialog.

    – Penghe Geng
    Apr 29 '13 at 19:40
















1















I am using Wireshark for 802.11g sniffing. The AP is not using any encryption. These are my observations:




  1. The vast majority packets are beacons and the probe requests.

  2. If I filter out beacons using the filter !(wlan.fc.type_subtype==0x08), I can see some ARP, ICMPv6, IGMPv3 and DHCP packets. These packets mostly came when a fresh connection is made from a station to an AP.

  3. When I do Ping or telnet, I cannot see any Data packets, even when the Ping/telnet operations are clearly going on and successful.

  4. Basically, Only broadcast packets get displayed. (One exception is some packets are shown with Destination Address being Cisco_00:00:00/01:0b:85:00:00:00).


Does anybody know what went wrong?



My Wireshark version is 1.8.2. I am using a Ubuntu 12.10 and a USB wireless adaptor Belkin F5D7050. I have put the WLAN interface to monitor mode with airmon-ng start wlan1.



(Update: It looks like a driver or hardware issue. There are some similar discussions like here.)










share|improve this question

























  • Did you run Wireshark on wlan1 or mon0? Only the latter is a monitor interface.

    – grawity
    Apr 29 '13 at 19:34











  • It's mon0. wlan1 is not even shown in the Wireshark Capture Interfaces dialog.

    – Penghe Geng
    Apr 29 '13 at 19:40














1












1








1








I am using Wireshark for 802.11g sniffing. The AP is not using any encryption. These are my observations:




  1. The vast majority packets are beacons and the probe requests.

  2. If I filter out beacons using the filter !(wlan.fc.type_subtype==0x08), I can see some ARP, ICMPv6, IGMPv3 and DHCP packets. These packets mostly came when a fresh connection is made from a station to an AP.

  3. When I do Ping or telnet, I cannot see any Data packets, even when the Ping/telnet operations are clearly going on and successful.

  4. Basically, Only broadcast packets get displayed. (One exception is some packets are shown with Destination Address being Cisco_00:00:00/01:0b:85:00:00:00).


Does anybody know what went wrong?



My Wireshark version is 1.8.2. I am using a Ubuntu 12.10 and a USB wireless adaptor Belkin F5D7050. I have put the WLAN interface to monitor mode with airmon-ng start wlan1.



(Update: It looks like a driver or hardware issue. There are some similar discussions like here.)










share|improve this question
















I am using Wireshark for 802.11g sniffing. The AP is not using any encryption. These are my observations:




  1. The vast majority packets are beacons and the probe requests.

  2. If I filter out beacons using the filter !(wlan.fc.type_subtype==0x08), I can see some ARP, ICMPv6, IGMPv3 and DHCP packets. These packets mostly came when a fresh connection is made from a station to an AP.

  3. When I do Ping or telnet, I cannot see any Data packets, even when the Ping/telnet operations are clearly going on and successful.

  4. Basically, Only broadcast packets get displayed. (One exception is some packets are shown with Destination Address being Cisco_00:00:00/01:0b:85:00:00:00).


Does anybody know what went wrong?



My Wireshark version is 1.8.2. I am using a Ubuntu 12.10 and a USB wireless adaptor Belkin F5D7050. I have put the WLAN interface to monitor mode with airmon-ng start wlan1.



(Update: It looks like a driver or hardware issue. There are some similar discussions like here.)







networking wireless-networking security ping wireshark






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 7 at 23:32









grooveplex

1055




1055










asked Apr 29 '13 at 19:22









Penghe GengPenghe Geng

15929




15929













  • Did you run Wireshark on wlan1 or mon0? Only the latter is a monitor interface.

    – grawity
    Apr 29 '13 at 19:34











  • It's mon0. wlan1 is not even shown in the Wireshark Capture Interfaces dialog.

    – Penghe Geng
    Apr 29 '13 at 19:40



















  • Did you run Wireshark on wlan1 or mon0? Only the latter is a monitor interface.

    – grawity
    Apr 29 '13 at 19:34











  • It's mon0. wlan1 is not even shown in the Wireshark Capture Interfaces dialog.

    – Penghe Geng
    Apr 29 '13 at 19:40

















Did you run Wireshark on wlan1 or mon0? Only the latter is a monitor interface.

– grawity
Apr 29 '13 at 19:34





Did you run Wireshark on wlan1 or mon0? Only the latter is a monitor interface.

– grawity
Apr 29 '13 at 19:34













It's mon0. wlan1 is not even shown in the Wireshark Capture Interfaces dialog.

– Penghe Geng
Apr 29 '13 at 19:40





It's mon0. wlan1 is not even shown in the Wireshark Capture Interfaces dialog.

– Penghe Geng
Apr 29 '13 at 19:40










1 Answer
1






active

oldest

votes


















1














You're probably capturing on a "protected" network, i.e. one using WEP or WPA/WPA2 encryption, and Wireshark can only dissect the payload of those frames if it has enough information to decrypt them. The "How to Decrypt 802.11" page of the Wireshark Wiki explains this in detail.






share|improve this answer



















  • 1





    No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.

    – Penghe Geng
    Apr 29 '13 at 19:33













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f589342%2fwhy-isnt-wireshark-showing-high-layer-packets-like-icmp-ip-udp-only-broadcast%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














You're probably capturing on a "protected" network, i.e. one using WEP or WPA/WPA2 encryption, and Wireshark can only dissect the payload of those frames if it has enough information to decrypt them. The "How to Decrypt 802.11" page of the Wireshark Wiki explains this in detail.






share|improve this answer



















  • 1





    No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.

    – Penghe Geng
    Apr 29 '13 at 19:33


















1














You're probably capturing on a "protected" network, i.e. one using WEP or WPA/WPA2 encryption, and Wireshark can only dissect the payload of those frames if it has enough information to decrypt them. The "How to Decrypt 802.11" page of the Wireshark Wiki explains this in detail.






share|improve this answer



















  • 1





    No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.

    – Penghe Geng
    Apr 29 '13 at 19:33
















1












1








1







You're probably capturing on a "protected" network, i.e. one using WEP or WPA/WPA2 encryption, and Wireshark can only dissect the payload of those frames if it has enough information to decrypt them. The "How to Decrypt 802.11" page of the Wireshark Wiki explains this in detail.






share|improve this answer













You're probably capturing on a "protected" network, i.e. one using WEP or WPA/WPA2 encryption, and Wireshark can only dissect the payload of those frames if it has enough information to decrypt them. The "How to Decrypt 802.11" page of the Wireshark Wiki explains this in detail.







share|improve this answer












share|improve this answer



share|improve this answer










answered Apr 29 '13 at 19:30







user164970















  • 1





    No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.

    – Penghe Geng
    Apr 29 '13 at 19:33
















  • 1





    No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.

    – Penghe Geng
    Apr 29 '13 at 19:33










1




1





No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.

– Penghe Geng
Apr 29 '13 at 19:33







No. I am not using any encryption. I just updated my question. And if I were using encryption, I could have at least seen some Data packets. But now if I filter out the AP's beacon message, I couldn't see any packets when I do Ping or telnet.

– Penghe Geng
Apr 29 '13 at 19:33




















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f589342%2fwhy-isnt-wireshark-showing-high-layer-packets-like-icmp-ip-udp-only-broadcast%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

Mangá

Eduardo VII do Reino Unido