I am using Wireshark for 802.11g sniffing. The AP is not using any encryption. These are my observations:
- The vast majority packets are beacons and the probe requests.
- If I filter out beacons using the filter
!(wlan.fc.type_subtype==0x08), I can see some ARP, ICMPv6, IGMPv3 and DHCP packets. These packets mostly came when a fresh connection is made from a station to an AP. - When I do Ping or telnet, I cannot see any Data packets, even when the Ping/telnet operations are clearly going on and successful.
- Basically, Only broadcast packets get displayed. (One exception is some packets are shown with Destination Address being Cisco_00:00:00/01:0b:85:00:00:00).
Does anybody know what went wrong?
My Wireshark version is 1.8.2. I am using a Ubuntu 12.10 and a USB wireless adaptor Belkin F5D7050. I have put the WLAN interface to monitor mode with airmon-ng start wlan1.
(Update: It looks like a driver or hardware issue. There are some similar discussions like here.)
Best Answer
You're probably capturing on a "protected" network, i.e. one using WEP or WPA/WPA2 encryption, and Wireshark can only dissect the payload of those frames if it has enough information to decrypt them. The "How to Decrypt 802.11" page of the Wireshark Wiki explains this in detail.