Based on your comment it sounds like some other device on your network has the MAC address that you would like to use for the device you have access to. Finding that other device in the physical world will probably be very difficult to impossible without access to any switches.
NB: If you did have access to the switches, you could follow the MAC tables to a switch port number and from there do a physical cable trace.
To confirm that there is actually another device with the same mac address, you could try using a network auditing tool and attempt to discover all devices on the same broadcast domain.
There is another set of possibilities that involve either static MAC entries either on the DHCP server(s) or some device(s) on the network, or some kind of port security or MAC filtering. It's a little odd to be trying to solve a problem of this nature without access to the switches or servers or access to someone who has access, although not at all unheard of on secure networks.
A standard TCPDump, without any modifications to the mode of the Wireless NIC, will not display ALL frames traversing the wireless network. It will only display frames directed at (and capable of being received by) your station. TCPDump is just grabbing the information that is specifically delivered to your station, decrypted, and presented to the OS at the normal Ethernet/IP level.
To listen to ALL frames reaching your station on the wireless network, you'll need have a NIC capable of running in Monitor mode, and then put your NIC into Monitor mode. While in Monitor mode, you won't be able to send traffic, only to observe all frames on the channel. This is done similarly to the following:
iw phy phy0 interface add wlan2 type monitor
iw dev wlan2 set freq 2412
ifconfig wlan2 up
tcpdump -i wlan2
Read the documentation on iw
for more information, and also, see this page for some good information on using iw
for monitoring, with an example.
As noted by @ylearn in the comments, your station will only be able to capture frames under specific circumstances (Some more obvious than others):
- Be in range of the sending station (duh)
- Be of the same type as the sending station (single vs multiple spacial streams for example)
- Be listening to the same channel/frequency as the sending station (listening to 2.4 GHz channels won't help you capture 5Ghz traffic, etc)
And there are more conditions, but the bottom line is that wireless networks are wireless, so there's no guarantee of delivery of traffic and therefore no guarantee of receipt on your Monitoring station. :)
Now with all of that said, you may have all the frames that are being transmitted, but you would still need to decrypt the frames. This a large topic in and of itself, however the basics are this: the frames that any 802.11 station sends into the air are sent encrypted so that not just anyone can sniff all connections.
Wireshark has a nice intro page on Decyrypting 802.11. I recommend reading that, understanding it, and moving on from there.
Edit to respond to your comments, @phenetas:
First, as alluded to in my response, I was assuming your OS was Linux in my answer so I recommended using iw
. If you're serious about learning more about penetrating 802.11 networks, I'd recommend looking into a linux distro such as Kali Linux, which is designed for exactly that purpose. (Use this power only for good please; with great power comes great responsibility, etc, etc.)
However, if you're insistent on using MAC OSX, you have other options as well to put the NIC into monitor mode (including just using Wireshark instead of TCPDump). Some Googling around for MAC OSX monitor mode should help you there.
Finally, I would look into reading more about IP Broadcasts and mDNS (Multicast DNS) as that is what you're seeing initially from the other devices. These are not "intercepted" packets, this IS traffic destined to your device, that is why TCPDump is displaying the packets.
Best Answer
You have used the following as your packet filter:
host aa:bb:cc:11:22:33
As it stands, this is looking for an IP or hostname but you are giving it a MAC address.
To use a MAC address, you need to include the
ether
packet filter primitive.In your case, the following should work:
Or, if it needs you to specify the interface, then it would be something like: