Re: Why "Monitor Mode" column still showed "n/a" when pcap_can_set_rfmon() function returns 1

[Yang Luo <hsluoyb () gmail com>]

Hi Pascal,

The cause is that pcap_can_set_rfmon() is not exported. After I export
it, Capture
Interfaces window still shows "disabled" in "Monitor Mode" column.

But there's another issue. The dumpcap.exe will crash when launching
Wireshark. After some debugging, I found the cause:
My pcap_can_set_rfmon() implementation is the following
pcap_can_set_rfmon_win32
function.

/*
* Check if rfmon mode is supported on the pcap_t for Windows systems.
*/
static int
pcap_can_set_rfmon_win32(pcap_t *p)
{
return PacketIsMonitorModeSupported(p->adapter);
}


And it calls the PacketIsMonitorModeSupported() function in Packet.dll.
This function calls PacketRequest to send a Query OID request
(OID_DOT11_OPERATION_MODE_CAPABILITY) like Guy said. And PacketRequest call
needs the adapter to be opened first.

So it seems that Wireshark should open the adapter before querying whether
it supports monitor mode, which it's not the case currently.

I find it paradox because there are so many functions that need to send
Query/Set OID requests. So I looked at them and found most OID requests are
"Set" ones like pcap_set_buffer_size() . It doesn't immediately
call PacketSetBuff(). It just records the value and set that value when
calling pcap_activiate_win32(). However, functions that need to "Query"
OIDs couldn't do this, because the value needs to be obtained at once. It
can't be postponed to calling pcap_activiate_win32(). I found
only pcap_stats_ex() is in this category. It calls PacketGetStatsEx which
tries to query an OID. But this pcap_stats_ex() function is never used in
Wireshark.

So I want to know how to solve this? Is it possible to make Wireshark open
the adapter first before querying whether it supports monitor mode?
Or we can do it in a simpler way. First we determine whether the adapter is
an wireless adapter. If it's not a wireless adapter, we don't even need to
know whether it has monitor mode support. BTW, do you know any built-in
method to know whether an adapter is a wireless one? I only know one method:
1) use "netsh wlan show interfaces" to show all the names of wireless
adapters
2) compare the pcap_t adapter name with the above names, if there's a
match, then it's a wireless adapter.
But I don't think it's very good. Wait for better solutions?

And considering that most of wireless adapters support monitor mode (at
least I didn't know anyone said his adapter doesn't support it), we can
just safely return TRUE in pcap_can_set_rfmon_win32() for any wireless
adapter. So the "Query" OID request is no longer needed.


Cheers,
Yang





On Wed, May 18, 2016 at 5:51 PM, Pascal Quantin <pascal.quantin () gmail com>
wrote:

> Hi Yang,
>
> 2016-05-17 19:02 GMT+02:00 Yang Luo <hsluoyb () gmail com>:
>
> > Hi list,
> >
> > I'm using Wireshark 2.1.0-3054-gad4d0b8. I found that after I made
> > pcap_can_set_rfmon() function in Npcap always return 1. The Capture
> > Interfaces window still shows "n/a" in "Monitor Mode" column.
> >
> > J:\npcap\wpcap\libpcap\pcap.c:
> >
> > /*
> >  * Returns 1 if rfmon mode can be set on the pcap_t, 0 if it can't,
> >  * a PCAP_ERROR value on an error.
> >  */
> > int
> > pcap_can_set_rfmon(pcap_t *p)
> > {
> > return 1;
> > //return (p->can_set_rfmon_op(p));
> > }
> >
> >
> > I have analyzed the code flow:
> >
> >
> > 1)
> > https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/ui/qt/capture_interfaces_dialog.cpp#L528
> > ti->setText(col_monitor_, QString(device->monitor_mode_supported?
> > (device->monitor_mode_enabled ? tr("enabled") : tr("disabled")) :
> > tr("n/a")));
> > The key is:
> > device->monitor_mode_supported
> >
> > 2)
> > https://github.com/wireshark/wireshark/blob/73957b4f44054a5f5fd013cf64b0bf80d8afd6e1/ui/qt/manage_interfaces_dialog.cpp#L599
> > device.monitor_mode_supported = caps->can_set_rfmon;
> > The key is:
> > caps->can_set_rfmon
> >
> > 3)
> > https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/caputils/capture-pcap-util.c#L1021
> > status = pcap_can_set_rfmon(pch);
> > The key is:
> > pcap_can_set_rfmon()
> >
> > So this call sequence shows that if pcap_can_set_rfmon() returns 1, the
> > "Monitor Mode" column should show "enabled" or "disabled", not "n/a". So
> > what am I missing here?
>
> I just tested v2.1.0rc0-3090-g886e2bf with the following patch applied:
> diff --git a/caputils/capture-wpcap.c b/caputils/capture-wpcap.c
> index 5094375..e5a2661 100644
> --- a/caputils/capture-wpcap.c
> +++ b/caputils/capture-wpcap.c
> @@ -495,6 +495,7 @@ int
>  pcap_can_set_rfmon(pcap_t *a)
>  {
>         g_assert(has_wpcap);
> +       return 1;
>         if (p_pcap_can_set_rfmon != NULL) {
>                 return p_pcap_can_set_rfmon(a);
>         }
>         return 0;
>
> And the Qt GUI correctly displays "disabled".
> So presumably p_pcap_can_set_rfmon is NULL.
>
> Is pcap_can_set_rfmon() symbol exported by your wpcap.dll? Can you share a
> npcap test build?
>
> Regards,
> Pascal.
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe