Wireshark mailing list archives

Re: Capturing Wi-Fi traffic to/from Modem

From: GaryT <gary () taig net>
Date: Mon, 28 Jul 2014 00:12:56 +1000

Two weeks ago, on 14/07/14 04:08, Guy Harris wrote:

[BIG SNIP]

The problem is probably that dumpcap doesn't have permission to open any interfaces other than the Bluetooth interface; 
the solution is probably the instructions Evan gave:


Yes, Evan's code worked as he expected.

1. Run "sudo dpkg-reconfigure wireshark-common" and select that Yes, non-superusers should be able to capture packets.
2. Add your user to the "wireshark" group (not sure if there's a UI for this in settings somewhere, if not, use "usermod -a 
-G wireshark $username", possibly with sudo in front.
3. Log out and back in for that to take effect.

Once you've done that, Wireshark should, on your laptop, should show the "any" and "lo" device, and will probably show an "eth0" 
device for its Ethernet and a device with some other name, perhaps "wlan0", for your Wi-Fi device.


Yes, it did.

After I ran Evan's code, logged out and back, starting Wiresharkproduced a nice surprise. Suddenly I had a total of seven possibleinterfaces. The screen showed six columns of values for each interfaceand from there on everything was GUI. There was no need for any moremanual entry. However, I did test it later with manual entry to see whatwould happen and it produced some surprising results.

I've provided an amount of detail here because you guys are for everhelping people and it may assist you to know precisely what happenedwhen I followed your suggestions. The attached text file contains allthe interface detail. But, refer only to Part 1 at this stage.

However, once you've done that, the monitor mode checkbox won't necessarily work; you might have to use the airmon-ng 
steps.  First make sure the aircrack-ng package (which I think Ubuntu offers) is installed, and then, if you have a wlan0 device, 
do

        sudo airmon-ng start wlan0



It wasn't installed and I had to download it before proceeding.

When I ran 'sudo airmon-ng start wlan0' I was presented with thefollowing message:


   Found 5 processes that could cause trouble
   If airodump-ng, aireplay-ng or airtun-ng stops working after
   a short period of time, you may want to kill (some of) them!

   Then it listed 5 names and PIDs, commencing with
   PID      Name
   966      avahi-daemon

   and ended up with Monitor Mode enabled as you've described here in
   the next few lines.  Chipsets and drivers were different.

It will probably print out something such as

        Interface   Chipset      Driver
         wlan0      Intel 4965 a/b/g/n   iwl4965 - [phy0]
                  (monitor mode enabled on mon0)

[snip]

The "monitor mode enabled on mon0" means that you must then capture on the "mon0" interface, not on the "wlan0" 
interface, to capture in monitor mode.


This presents a bit of a dilemma.  You used the words:
     "you must then capture on the 'mon0' interface"

Two scenarios exist now.  Should I:

(a)  Use the GUI screen (as per my initial experience) and enable
     Monitor Mode through that interface.

(b)  Enable Monitor Mode manually
     i.e. sudo airmon-ng start wlan0

They appear to finish up with the same result, EXCEPT, when I start WSafter having enabled Monitor Mode manually, it then has an extrainterface, Mon0. See attached text file 'interfaces.txt' Part 2.

The screen display shows the interface named 'Mon0' as disabled and youcan 'enable' it in the same manner as you do with wlan0. In fact, whenexperimenting I enabled Monitor Mode (Col 5) on both the Mon0 and wlan0interfaces. It seems to me that SHOULD NOT have been allowed to happen.

I have captured packets under both wlan0 with Monitor Mode enabled andMon0 with monitor mode enabled. They appear to have no significantdifferences but my question is, "which should I use, the Mon0 interfaceor the wlan0 with monitor mode enabled ??

It may just come down to going with either the GUI or the manual methodbut whatever the case, shouldn't there be code to prohibit starting upan interface when it is already operating.

At this point I will send these messages, rather than trying to solveproblems that might not exist.


Many thanks
GaryT

Attachment: interfaces.txt
Description:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Re: Wireshark Bluetooth, (continued)
- Re: Wireshark Bluetooth Guy Harris (Jul 11)
  - Capturing Wi-Fi traffic to/from Modem GaryT (Jul 12)
    - Re: Capturing Wi-Fi traffic to/from Modem Evan Huus (Jul 12)
    - Re: Capturing Wi-Fi traffic to/from Modem Guy Harris (Jul 12)
    - Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 12)
    - Re: Capturing Wi-Fi traffic to/from Modem Evan Huus (Jul 13)
    - Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 13)
    - Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 27)
    - Re: Capturing Wi-Fi traffic to/from Modem Guy Harris (Jul 13)
    - Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 14)
    - Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 27)
    - Re: Capturing Wi-Fi traffic to/from Modem Guy Harris (Jul 27)
    - Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 28)
    - Re: Capturing Wi-Fi traffic to/from Modem Guy Harris (Jul 12)