Aircrack-ng Vs Wireshark

[Zita Lifland]

Afterthat I ran wireshark as a superuser, chose the ra0 adapter and tried to sniff the test open network. I have my PC connected to it (via dwa-140) and an HTC phone as well as some other stranger PCs. Wireshark runs on my PC.

The problem is that when I login to %site.com% with a PC browser, I can see the cookies sent to it over http in Wireshark. But when I do the same thing with an Opera browser on my HTC, there is nothing detected. I know that other PCs are also sending data to the site, but I can't see anything from them as well.

If airmon-ng had created a monitoring interface, rather than just putting ra0 into monitor mode, I think it would have printed a message indicating that. For interfaces with mac80211 drivers, it'll create a monitoring interface (VIF), but for non-mac80211 drivers I'm not sure it can do that.

In addition, I've found that, if a mon0 interface is created, the "regular" interface isn't put into monitor mode, so the daemons listed don't "helpfully" turn monitor mode off, otherwise it does get turned off.

At least according to the WifiDocs/Device/DWA-140 page in the Ubuntu Community Help Wiki, the default driver for that adapter is the rt2800usb driver. The "Successful use" section of that page seems to suggest a mac80211 driver, as the output of the iwconfig command includes a wlan0 device.

After working with the IPW ieee80211 stack which was merged into the kernel, the rt2x00 team decided to move over to the newer Devicescape ieee80211 stack. This stack provided much better support for non-firmware wireless devices, and offered features the IPW stack never did. The last release with the IPW ieee80211 stack was rt2x00 Beta3, after that rt2x00 was redesigned to use the Devicescape 80211 stack, which has been renamed to mac80211.

I've found instructions for downloading and installing the RaLink driver =1592731&page=2 and have done so. The modified driver module loads but 'iwconfig' lists the interface as 'ra0' instead of 'wlan0'. So named, network-manager and network-manager-applet ignore it.

which suggests that you may be using that driver rather than the standard driver; following that link goes to a page that speaks of that driver as coming from Ralink. Perhaps Ralink's driver doesn't support mac80211.

As per my comment on another answer, NetworkManager, from some stuff I've done while debugging some issues caused by some Linux distributions not building recent versions of libpcap with libnl, so that they don't use the mac80211 mechanisms to go into monitor mode, so that instead of creating a mon0 interface separate from the wlan0 interface, they fall back on the old mechanism and put wlan0 itself into monitor mode, NetworkManager "helpfully" responds to this "problem" by turning monitor mode back off on wlan0. If you're using the Ralink driver, and it doesn't support mac80211 (as, given the ra0 name for the interface, I suspect it doesn't), then airmon-ng may be turning monitor mode on for ra0 and NetworkManager may be "helpfully" turning it back off again.

Thank you for your response. I'll try to use the rt2800 driver instead and disable the Network Manager and report back. As I just discovered this thing is Rev.B3 and uses an RT5392 chipset, so rt2800 driver won't do.

If whatever driver you use creates a wlan0 interface, it may not be necessary to disable NetworkManager - it might mean it's a mac80211 driver, in which case it won't put wlan0 into monitor mode, it'll create a monitor-mode mon0 adapter.

There is no wlan0 interface with my current driver. After stopping newtwork manager with stop network-manager my problem is that nothing happens after I start airmon-ng. It just outputs an empty line instead of ra0 Ralink 2560 PCI rt2500 (monitor mode enabled) and there is no network connection as well.

LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

Wi-Fi 6E devices are quite common now, but i still have not found a reliable way to sniff 6GHz Wi-Fi packets. i have atleast had some success capturing management and control frames in 6GHz, hopefully someone can chime in on how to capture data packets as well in 6GHz 160MHz.

If you want to capture on 2.4GHz and 5GHz, this is all we would need to do. We would use airmon-ng and airodump-ng or tcpdump. But, try capturing on 6GHz channels / frequencies, and airmon-ng and airodump-ng give errors telling the 6GHz frequencies are not supported.

Luckily for us, airodump-ng had an easy fix. This fix however is only available in the aircrack git repo, so you will need to download the source from -ng/aircrack-ng and build it locally as per the instructions given in their README.

airmon-ng also allows us to start an interface in monitor mode on specific frequency, but using the 6GHz frequencies gives an error saying they are "disabled", which they indeed are when checked through "iw list". i don't know if this is an issue with iwlwifi or the computer i am using. But the 6GHz frequencies will work when used with airodump-ng.

This is the only working method i know so far to capture 6GHz packets. Data packets, which are sent in 160MHz are still missing, but something is better than nothing right now. I would love to know if there is another way to do Wi-Fi 6E captures.

Thanks to Prashant Kolli who pointed out to me that tcpdump provides radiotap headers, and to Sudeep who suggested that data packets are not being captured because maybe the interface is capturing only on 20MHz bandwidth instead of the full 160MHz.

Hello,I am trying to use Wireshark as a 3rd party device to capture TCP packets between two other devices. These two devices are communicating on an OPEN protocol wifi network.I am running Kali Linux with a TP-LINK usb network adapter. I am using the Aircrack rtl8812au drivers installed from this Github repository. -ng/rtl8812au

I then used airodump-ng to capture packets on this interface filtered by channel and BSSID. Opening the .cap file generated by airodump in wireshark I am able see some of the TCP traffic between the two devices. This verifies that my hardware setup will indeed let me capture TCP traffic between the devices in monitor mode.

My issue is when I try to do the capture in wireshark on the wlan0 interface I only see 802.11 protocol packets such as 802.11 Block Ack, Clear-to-send, Request-to-send, etc... but I don't see any of the TCP data packets.

If airodump can see them, Wireshark should too. Add some better display filtering - filter by MAC addresses to reduce the noise in the capture and keep looking; there are ways to make this break but really know way to tell with this limited information. You could have disabled LLC or tcp dissectors, or set a capture filter, or be on the wrong channel, or...

I am using an Dell Latitude 3480 laptop which comes with the Qualcomm Atheros QCA6174 Wifi card with Ubuntu OS (16.04 Release). When I use it as a sniffer (using wireshark) after enabling monitor mode using airmon-ng, I am only able to get Beacon and Probe response frames (which are the management packets). I am not able to get the data packets in wireshark. I tried sniffing packets from an tcp traffic run between an Netgear AP and a client in 5G network with open-none security. Is this an expected problem with this card? I tried reinstalling the driver and all, but no change. The kernel I use is 4.4.102-0404102-generic. Can someone really help me out?

You can also search that site for other discussions of this wireless card and they all end in the same thing: get a new card. You can check the kali forum as they have a list of wifi cards that can work with linux, but note that it is often kernel dependent.

Thanks for the quick response. Yea I had seen this discussion before I posted here. I just want to make sure that the issue is specific to this chip before replacing it. If there are any other posts related to this issue, please post here and help me out.

I would recommend a USB adapter for now. The Atheros is likely a PCIe card, so you would need to open your laptop to put a new device in. If you want to replace the card, I have had good luck with packet capture only with Wireshark with the Intel 7265 and 8265 series chips; they do 2.4 and 5 GHz, 2x2 80MHz, SGI and LDPC so they capture a lot. But they have problems with packet injection, so the full suite of aircrack-ng tools may not be available ...(more)

After that I ran wireshark as a superuser, chose the ra0 adapter and tried to sniff the test open network. I have my PC connected to it (via dwa-140) and an HTC phone and some stranger PCs. Wireshark runs on my PC.

The problem is that when I login to %sitename% with a PC browser, I can see the cookies sent to it in Wireshark. But when I do the same thing with an Opera browser on my HTC, there is nothing detected. I know that stranger PCs are also sending data to %sitename%, but I see nothing from them as well. Still I see a lot of packets from stranger PCs, but not the ones I need.

Hello again my fellow Hackerzz!! I was trying hashcat and when converting my .cap file to .hccap, i noticed that even after converting, hashcat was not working. So i got to know that sometimes, even if aircrack-ng suite tells you that a 4-way handshake was succesful, it is not. So, in this How-To, i'll be telling you how to check a captured 4-way handshake in a .cap file was succesful or not.

When you open the .cap file in Wireshark, you will notice about 15 Packets are present.

The Packets we want to analyse are Packet - 8,9,10,11 as these are the 4-Way Handshake Packets.

The Packets Before them are no use to us (I Mean no use for this tutorial) but i'll explain what they do.

What you need to check is the last few packets. If they are data packets, then you have a succesful capture!! But if the last one is a De-authentication Packet, then you dont have a succesful Capture.

3a8082e126