Wireshark-users: Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 12 Jul 2014 16:58:57 -0700
On Jul 12, 2014, at 8:40 AM, GaryT <gary@xxxxxxxx> wrote:

> Searched and found a 6000 word document on the Wireshark.Org site...

Yes, that's what happens when OSes make it complicated to select monitor mode, and people could be using a wide variety of different versions of different OSes, and different versions of Wireshark, and ask about capturing on Wi-Fi with all of them.

Perhaps the page should be split into subpages for different OSes, with the top-level page linking to the subpages.

> (2)
> identify the Laptop card and drivers etc in order to determine how to get Wireshark capturing 802.11 packets.

If libnl weren't such a pain (see below), libpcap (the library that Wireshark uses for packet capturing) would render that irrelevant.

However, even given that:

> From that (above) document I'm aware of many snippets of info, for example:
> 
> [The "monitor mode enabled on mon0" means that you must then capture on the "mon0" interface, not on the "wlan0" interface, to capture in monitor mode. To turn monitor mode off, you would use a command such as sudo airmon-ng stop mon0, not sudo airmon-ng stop wlan0.]

airmon-ng should be able to render it mostly irrelevant; read the discussion of it in there and follow the admittedly-somewhat-complicated instructions.

> Greatly appreciate any help, pointers, comments.
> Wouldn't it be terrific if someone wrote, "All you need to do is..."

Wouldn't it be terrific if operating system providers didn't make it Really Complicated to turn monitor mode on, so that software developers (which, in this question, unfortunately means "me") don't have to write code that goes through hoops to do so?

Sadly, they didn't, and I haven't had the time to fix libpcap so that the code I wrote to turn monitor mode on doesn't depend on a library with multiple incompatible versions (meaning that it's unsafe to have libpcap use it, as all hell breaks loose if a program using libpcap is linked with one version and libpcap is linked with another), to allow that code to actually be *present* in Linux distributions (as opposed to being configured out).

So, yes, monitor mode in Wireshark is a bit of a steaming heap of suck on Linux (and, for other reasons, on platforms other than OS X).

However, be aware that, on a "protected" Wi-Fi network (one using encryption), it is *BY DESIGN* a bit complicated to sniff the network - the "protection" is against people sniffing network traffic.  See

	http://wiki.wireshark.org/HowToDecrypt802.11

for a discussion of *that*.  (If your network *isn't* "protected", somebody near it may be able to capture your network traffic; if the traffic is encrypted at a higher level, such as with HTTPS, they shouldn't be able to see anything at that level, but they'll still be able to see things at lower levels.)