Hey all,
Im working on something that has hit a brick wall - so hopefully some external help will point me in the right direction.
The premise is thus:
Im trying to monitor traffic on a wireless network. I have Wireshark running on Backtrack Linux and a Ubiquiti wireless card (which supports promiscuous mode).
I have joined the network ok and wireshark is up and sniffing the network fine. It captures data from/to the local machine perfectly (as you would expect).
The problem is when you introduce a new machine into the network. Wireshark DOES capture all data to/from the new machine but it refuses to display most of it in a recognizable format. Broadcast/Multicast stuff (like NBNS packets) are displayed correctly showing both the source/destination IP addresses and the packet contents.
But the problem is that stuff like HTTP traffic is just displayed as, I think, the raw 802.11 packet - and nothing i can do will convince Wireshark to decode that.
The packets are recognized as either LLC, SNA or (this last appears to be the HTTP data) 0x05f8. The source/destination are displayed as MAC addresses.
I have tried adding WPA decryption keys to Wireshark as well (just in case...) with no joy.
Version is 1.0.3.
Any suggestions *very* gratefully accepted!
Tom