Wi‑Fi Troubleshooting: Why Captures Are Empty
If you’re doing authorized Wi‑Fi research and your tool says “monitor mode enabled” but your captures are empty, you’re usually fighting the basics: wrong band/channel, driver/firmware limitations, or security features working as intended. This guide is a step-by-step checklist to get reliable captures in a controlled lab.
1) Establish a baseline (no guessing)
Before changing settings, create a “known good” test. Use a spare router/AP you control and one client device you control. Make the test as boring as possible: WPA2‑PSK (not WPA3), 2.4 GHz only, channel fixed (not auto), and a simple SSID.
- Lock the AP channel: set a fixed channel and disable “auto” while testing.
- Disable band steering: keep it to one band so your client doesn’t roam between 2.4/5.
- Reduce complexity: start with 20 MHz width on 2.4 GHz, then expand later.
- Document the target: SSID, BSSID, band, channel, security mode, and client MAC (for your own devices only).
Goal: you should be able to see beacons, probe requests, and data frames. If you can’t see basic management frames, you’re not “missing a handshake”—you’re not actually capturing the channel correctly.
2) Band + channel + width mistakes
2.4 GHz vs 5 GHz vs 6 GHz
- 6 GHz (Wi‑Fi 6E/7): many adapters can’t monitor 6 GHz at all. If your target is 6E, verify hardware support first.
- 5 GHz: DFS channels can be tricky; some setups avoid monitoring DFS reliably or behave differently per region.
- 2.4 GHz: easiest baseline, but crowded; interference can hide frames.
Channel width matters (20/40/80/160 MHz)
If the AP is using 80 MHz and your capture setup is effectively watching only part of that spectrum, you may “see some” frames but miss the ones you care about. Start with 20 MHz in the lab to reduce variables.
Hidden SSID misconceptions
A “hidden SSID” still transmits beacons and still has a BSSID. Your issue is rarely “hidden SSID” and usually “wrong channel” or “not actually in monitor mode.”
3) Adapter, drivers, and monitor mode gotchas
Your adapter can say “monitor mode” and still be the bottleneck
- Chipset limitations: some chipsets drop frames under load, have poor 5 GHz support, or don’t support injection/monitor reliably.
- USB power/cable: unstable power causes random disconnects and corrupted captures. Swap the cable first.
- USB 3.0 noise: USB 3.0 ports/cables can emit interference that impacts 2.4 GHz reception. Try a different port or distance.
Symptoms that point to driver/firmware issues
- “Device not found” intermittently (especially after sleep/wake): USB power management or driver reset.
- Only beacons, no data even with active client traffic: wrong channel, capture filter too strict, or dropped data frames.
- Captures work at 2.4 but never at 5: band support/regulatory domain/DFS behavior.
4) WPA3, PMF/MFP, and “expected failure”
Modern Wi‑Fi security is designed to block replay and reduce the usefulness of certain captures. If a technique “used to work,” it may not be valid against WPA3 or when PMF (Protected Management Frames) is required.
WPA3 (SAE) changes the game
- Expect different handshake material than WPA2‑PSK. Tools and workflows differ.
- Fallback confusion: Some networks run WPA2/WPA3 mixed mode. Your client might connect using one mode while you assume the other.
PMF/MFP (802.11w)
PMF helps protect certain management frames. In a legitimate lab, treat PMF as a success condition for defense: if your previous “trick” no longer works, that can be the correct outcome.
5) RF noise and capture quality
Captures fail in noisy environments because you’re not actually losing “the handshake”—you’re losing frame integrity and timing. In a lab, you can make the environment calmer:
- Distance: bring AP and client closer during baseline testing.
- Lower competing traffic: disconnect other clients; pause streaming devices.
- Choose a quiet channel: use the least congested channel on 2.4 GHz; avoid microwave-heavy areas.
- Reduce gain extremes: too much gain can overload the front-end; too little misses frames.
6) A repeatable lab workflow
- Build a known-good AP profile: WPA2‑PSK, 2.4 GHz, channel fixed, 20 MHz.
- Verify you see beacons from the AP on the expected channel.
- Generate predictable traffic: connect one lab client and browse a simple page.
- Capture for 60–120 seconds and confirm you see management + data frames.
- Increase complexity slowly: 5 GHz → wider channels → WPA3 → multi-client → roaming.
What changed in 2026
- More mixed WPA2/WPA3 environments increase mode-assumption mistakes.
- 6 GHz adoption raises adapter and regulatory-domain troubleshooting complexity.
- PMF expectations are stronger in modern enterprise baselines.
Myth vs reality
Myth: “If monitor mode is enabled, capture is correct.”
Reality: Wrong channel width/band and driver limits can still make captures misleading.
Validation criteria
- You can reproduce beacon + data frame visibility on a fixed test AP/profile.
- Captured artifacts match known AP mode and channel configuration.
- Your troubleshooting result is repeatable after reboot/reconnect cycles.
Quick FAQ
Why is my PCAP empty when monitor mode appears enabled?
You may be capturing on the managed interface instead of the monitor interface (for example wlan0 vs wlan0mon),
tuned to the wrong channel or band, or using a capture filter that drops all frames. Confirm the interface name, remove capture filters while debugging,
and lock channel/band to your lab AP.
What is the difference between a capture filter and a display filter in Wireshark?
A capture filter is applied by libpcap before packets are recorded; if it is too strict, the PCAP is empty. A display filter only changes what you see after capture and cannot recover packets that were never captured.
Why do I see beacons but almost no data frames?
Beacons are periodic; data frames require associated clients and traffic. Generate predictable lab traffic, verify channel width and band, and confirm your adapter actually delivers data frames to userspace in your configuration.
For a short note on interface names and filters, see Wi‑Fi: capture filter, wrong interface, empty PCAP.