I have few devices connected to wifi router, but pcap_dispatch() always returns 0 for wifi interface while live capturing on Mac OS X. The same code captures response in case of wired interface. Please clarify if I have missed any flag here.
Asked
Active
Viewed 81 times
0
-
Are you using a capture filter? – Jun 15 '15 at 06:15
-
Yes. I am filtering similar to ethernet: ether dst 70:73:cb:c1:7c:61 and (arp or (ether[14:4]=0xaaaa0300 and ether[20:2]=0x0806) or (ether[12:2]=0x8100 and ether[16:2]=0x0806) or (ether[12:2]=0x8100 and ether[18:4]=0xaaaa0300 and ether[24:2]=0x0806)) – Balaji M Jun 15 '15 at 10:57
-
Are you capturing in monitor mode or not in monitor mode? – Jun 15 '15 at 18:17
-
I have set monitor mode. pcap_set_rfmon() – Balaji M Jun 16 '15 at 04:35
1 Answers
0
If you are capturing in monitor mode, you will be getting native 802.11 packets, which do not look like Ethernet packets, so filtering similarly to Ethernet will not work.
Furthermore, if you're capturing in monitor mode on a protected network, i.e. a network using WEP or WPA/WPA2, everything past the 802.11 header will be encrypted, and you will not be able to filter on it.
So:
- if you're on an unprotected network, try a filter such as
wlan dst 70:73:cb:c1:7c:61 and (arp or (vlan and arp))
- if you're on a protected network, try a filter such as
wlan dst 70:73:cb:c1:7c:61, and make sure the program that reads the packets either just blindly writes them out to a capture file or is capable of decrypting WEP or WPA/WPA2 packets (the only program I know of that can decrypt them is Wireshark, although some others might be able to do it as well).