Wireshark-users: Re: [Wireshark-users] Leopard and AirPort, only my own packets

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 22 Oct 2008 01:54:21 -0700

On Oct 21, 2008, at 3:52 PM, Marco De Vitis wrote:

I'm doing some tests on my own wifi network, which is protected using
WPA Personal.

I have a Windows notebook and a MacBook running OSX 10.5.5. I want to
try running Wireshark on the MacBook for sniffing traffic happening from
the Win machine.

It might be that the AirPort adapter on your MacBook will only capture traffic from other machines on your network when in monitor mode (on Leopard, to go into monitor mode you currently have to select a "link- layer header type" other than Ethernet), even in promiscuous mode. I think some (perhaps all) wireless adapters will not actually work promiscuously on protected networks as they can't decrypt traffic to or from other machines; they'll capture the traffic in monitor mode, but, in order to see that traffic decrypted, you'll need to provide the password for the network *and* capture the initial setup:

	http://wiki.wireshark.org/HowToDecrypt802.11