Wireshark-users: Re: [Wireshark-users] cannot capture packetsfromwifirouter(NetgearWNDR3700).
Title: RE: [Wireshark-users] cannot capture packetsfromwifirouter(NetgearWNDR3700).
> I had upgraded to ubuntu
11.10.
> $ dpkg --get-selections | grep
libpcap
> libpcap0.8
install
>
> From the above, is it using libpcap
0.8 ?
No, use synaptic to check the version
(1.1.1-8)
Anil
-----Original
Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx on behalf of Guy
Harris
Sent: Tue 12/6/2011 3:03 AM
To: Community support list for
Wireshark
Subject: Re: [Wireshark-users] cannot capture
packetsfromwifirouter(NetgearWNDR3700).
On Dec 5, 2011, at 2:49 PM,
Philip Anil-QBW348 wrote:
> I tried to check the checkbox. As I
depress the box, it grays out and then re-enables.
> (almost as though it
is being disabled, cleared and then re-enabled).
OK, this is a
combination of several
problems:
1) Ubuntu 10.10
(and, I think, the Debian release from which it's built) does not build libpcap
1.1.1 with libnl, which means that libpcap's monitor-mode APIs don't support the
Shiny New mac80211 Mechanism, and end up using the old Wireless Extensions
stuff;
2) libpcap 1.1.1's code
to use the old Wireless Extension stuff to handle monitor mode had a number of
bugs, which means that its monitor-mode APIs don't work correctly when using the
old Wireless Extension stuff, and cause dumpcap to report an
error;
3) Wireshark wasn't
reporting the error it got from dumpcap in that case - it was briefly disabling
the "monitor mode" checkbox (because its attempt to get information such as the
link-layer header types in monitor mode failed because libpcap couldn't put the
interface in monitor mode), then clearing the checkbox (because it failed to put
the interface in monitor mode), and then re-enabling it (because the API it
originally used to check whether monitor mode was supported *without* actually
attempting to put the interface into monitor mode said monitor mode *is*
supported).
I've checked into the trunk and 1.6 branches a fix for the
third problem; it should now pop up an error message box if you try to check the
monitor mode checkbox on platforms with the libpcap problems in question.
The error message will refer you to the CaptureSetup/WLAN page in the Wireshark
Wiki:
http://wiki.wireshark.org/CaptureSetup/WLAN
but it should really specifically refer you
to
http://wiki.wireshark.org/CaptureSetup/WLAN#Linux
I'll fix it to do so later. The 1.6 branch changes should also go
into 1.4, so they show up in the next 1.4.x release as well as the next 1.6.x
releasxe.
I've checked into the libpcap trunk and 1.2 branches a fix for
the second problem, so they should show up in any future 1.2.x release (there
are enough bug fixes that tcpdump.org should consider doing a 1.2.x release -
and announce it so that various OSes pick it up) as well as any 1.3.0 release
when it comes out. When that'll happen, I don't know, and I don't know
whether any of the Linux distributions with this issue would pick it up as an
update to existing releases or whether you'd have to wait for a future
release. Given that anything short of Sid appears to have Wireshark
1.*2*.x as the Wireshark version, people who run into this are probably building
Wireshark from source anyway, so they might end up picking up the fix for the
third problem - monitor mode won't work well with the checkbox or the -I option,
but at least it'll let you know something went wrong and point you at the
Wireshark Wiki, which suggests using airmon-ng in that case.
I've sent
mail to Romain Francoise (is there supposed to be a cedilla there?), the Debian
maintainer for libpcap, about the first problem. Hopefully the fix is as
simple as declaring libnl to be one of libpcap's
dependencies.
___________________________________________________________________________
Sent
via: Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe