Wireshark-users: Re: [Wireshark-users] Capturing 802.11 RSSI and TX Rate Values Using Ubuntu Linu
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Tal Rusak <tr76@xxxxxxxxxxx>
Date: Mon, 29 Dec 2008 17:08:16 -0500 (EST)
     Thank you very much for your quick response.

> >     I am new to Wireshark. I need to capture RSSI values from an  
> > 802.11
> > network using an Ubuntu Linux 8.10 PC.
> 
> What version of the kernel is your PC running?  ("uname -r" on the  
> command line should tell you that.)

     2.6.27-9-generic (It's the most recent available through Ubuntu, I
think)

> 
> > I have added the columns in
> > the user interface, but no values are displaying.
> 
> You're probably not getting 802.11 and radio headers when you're  
> capturing.  In the detail pane, what are the protocol layers Wireshark  
> displays for packets?

     For TCP packets, which I am interested in: 
Frame #
Ethernet II
Internet Protocol
Transmission Control Protocol
     I hope this answers your question.

> 
> > Perhaps I have the
> > incorrect driver (currently I am using iwlagn). Can anyone provide a
> > hint?
> 
> The iwl drivers appear to support mac80211, at least in recent  
> kernels; if so, they should be able to supply *some* radio information.
> 
> However, if they're mac80211 drivers, then, at least from my reading  
> of the mac80211 code in net/mac80211 in the 2.6.27.9 kernel:
> 
>       1) they supply radio information using the radiotap header, which  
> doesn't directly provide RSSI values; instead, it can supply signal  
> strength and noise power in dBm;

      That would probably be fine.

> 
>       2) they only supply it in "monitor mode".
> 
> In order to go into "monitor mode" with a mac80211 driver, you'd need  
> to add a "monitor mode" virtual interface and capture on that.  At  
> least with newer kernels, this requires the "iw" command; assuming  
> that the "master" interface for your wireless adapter is "wmaster0",  
> you'd have to do
> 
>       iw dev wmaster0 interface add mon0 type monitor
> 
>       ifconfig mon0 up
> 
> and then capture on the "mon0" interface.  When you're done, do
> 
>       iw dev mon0 interface del
> 
> to get rid of the "mon0" interface.

     I'll try this now.

>       
> >     Also, I can apparently use the 802.11 connection and capture  
> > packets
> > at the same time. With other sniffers I have used this was not
> > possible. Is this supposed to be possible with Wireshark, or is this
> > part of the problem in my setup?
> 
> Whether you can remain associated with a network and capture traffic  
> depends on:
> 
>       1) whether you're capturing in monitor mode or not - if you're not in  
> monitor mode, you should remain associated with the network, but if  
> you are in monitor mode, you *might* not be able to remain associated  
> with the network;
> 
>       2) the operating system on which you're running - Linux doesn't  
> absolutely *prevent* you from remaining associated in monitor mode;
> 
>       3) the adapter and driver - some adapters and drivers might allow you  
> to remain associated even in monitor mode (the mac80211 driver for my  
> Belkin stick appears to let me remain associated).

      Thank you very much for your help!

Tal