Re: Capturing Wi-Fi traffic to/from Modem

[Evan Huus <eapache () gmail com>]

On Sun, Jul 13, 2014 at 12:47 AM, GaryT <gary () taig net> wrote:

> Big thank you, Evan.
>
> On 13/07/14 01:53, Evan Huus wrote:
> [BIG SNIP]
>
>
>  First step is to be able to use the wifi to e.g. browse the web; it's not
> > clear from your email if that's even the case. If that's already working,
>
> I have full use of the laptop, full access to the Net, can download,
> upload, view videos etc.  Have tested the connection with the wife viewing
> a video on her Samsung Tablet as I was doing the same on the laptop.
>  Different videos from different locations. I'm happy with the way it works
> except for the absence of interfaces.  Initially there was Bluetooth and
> nothing else. Now that I've turned off BT there are no interfaces from
> which to select.
>
>
>  then capturing "cooked" packets (with all the IEEE802.11 headers,
> > encryption, etc. stripped and replaced with fake ethernet headers) should
> > be as simple as pointing Wireshark at your wlan0 interface. If Wireshark
> > doesn't display any wlan* interfaces even though you have working wifi,
> > that's *weird* and possibly a bug.
>
> It's nice to know there "should be" an interface.  At least I know now
> that something really odd is happening.  However, I have a feeling the
> answer might be contained in that doc I mentioned; it gets into the nitty
> gritty.   http://wiki.wireshark.org/CaptureSetup/WLAN#Linux
>
>
>  Do you have sufficient permissions to view those interfaces? If you just
> >
>
> It's my laptop, my Wi-Fi capable cable modem, my home office, I have all
> the authority I need Evan.  Nobody else has any access to it.
>
> However, seriously I wonder whether I'm actually using Wireshark as root
> on this desktop unit. I remember reading some deep and meaningful
> discussion about the subject and apparently there is a potential security
> issue running WS as root from a terminal; all I do is click the Wireshark
> icon in the System Tools menu. Frankly I don't know whether I'm running it
> as root or not!  Haven't given it any serious thought until now.   Comment??


That's almost certainly the issue then.


>  installed the default Wireshark (which is actually inherited from Debian,
> > so Canonical doesn't have much to do with it) then normal users aren't
> > given permission to capture packets by default. You should follow the
> > instructions in [1] to give regular users permission to capture packets.
>
> Have downloaded that page [1], made a PDF.  Will read it and hopefully
> something will gel.... but the old brain is not nimble any more.


I believe the short version is:

1. Run "sudo dpkg-reconfigure wireshark-common" and select that Yes,
non-superusers should be able to capture packets.
2. Add your user to the "wireshark" group (not sure if there's a UI for
this in settings somewhere, if not, use "usermod -a -G wireshark
$username", possibly with sudo in front.
3. Log out and back in for that to take effect.


>  Once you can capture cooked packets, capturing "raw" packets (with all the
> > IEEE802.11 headers etc) should be as simple as checking the "monitor mode"
> > box in the capture options dialogue box, assuming your version of
> > Wireshark
> > is recent enough (which 1.10.* should be).
>
> For this bit I had to turn on Bluetooth in order to get an interface list
> on the screen.
>
> There is a column titled 'Mon. Mode' (presumably monitor mode), and in
> that column (against Bluetooth) it shows n/a (ie. not applicable).
>
> On that same note, my desktop Wireshark v1.11.0 where I'm writing this
> also shows n/a in the Mon.Mode column of ALL the three available
> interfaces.  They are:
>
> eth0            Interface to the big wide Ethernet world.
> any             I don't know what "any" would be
> lo  127.0.0.1   The loopback
>
> When running I capture only on eth0.
>
> So, a Question:
> Can I assume that the n/a means not applicable ONLY because the interfaces
> I have on this desktop unit are not IEEE802.11 ?

Yup.

But, the laptop also has its Mon. Mode column marked n/a against Bluetooth.
>    Doesn't BT come under IEEE802.11 ??   Should it not allow or enable me
> to select Mon. Mode?

No idea, but it seems reasonable to me that it's wifi-only. Guy might have
a better explanation. As Guy pointed out in his reply anyways, that method
doesn't work on Linux unfortunately.


> Evan, I had gone through much of this on my own before writing my first
> post.  I believe it's possible the Laptop might be to blame, that's why I
> included the details.  The capture Setup document makes reference to cards
> and drivers but when reading that doc I encountered many terms, acronyms
> and other stuff that was completely foreign to me.
> That's where/why I need help, guidance, hand holding etc.
>
> Many thanks for helping.
> GaryT
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe