Wireshark-users: Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 13 Jul 2014 11:08:17 -0700
On Jul 12, 2014, at 9:47 PM, GaryT <gary@xxxxxxxx> wrote:

> On 13/07/14 01:53, Evan Huus wrote:
> 
>> Do you have sufficient permissions to view those interfaces? If you just
> 
> It's my laptop, my Wi-Fi capable cable modem, my home office, I have all the authority I need Evan.  Nobody else has any access to it.

"Permissions" here doesn't mean "do you, as a human, have permission, granted by another human", it means "does the program doing the capturing have permission, granted by the operating system"?

> However, seriously I wonder whether I'm actually using Wireshark as root on this desktop unit. I remember reading some deep and meaningful discussion about the subject and apparently there is a potential security issue running WS as root from a terminal;

There's a potential security issue running *any* code as root, especially code that has to parse data that comes over the network, because a bug in that code could, in some cases, mean that cleverly-formed packets could inject code into the program in question and run it - meaning run it as root.

As one of the README files in the Wireshark source says:

	In versions up to and including 0.99.6, it was necessary to run
	Wireshark with elevated privileges in order to be able to capture
	traffic. With version 0.99.7, all function calls that require elevated
	privileges have been moved out of the GUI to dumpcap.

	WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN
	THEM AS ROOT.

So, on Linux, the idea is that the dumpcap program, which is part of Wireshark, would run with sufficient privileges to capture packets; it does not parse packets, so there's no packet-parsing code at risk there.

Evan's instructions with "sudo dpkg-reconfigure" arrange that dumpcap will run with sufficient privileges to capture (which doesn't mean "root privileges", at least with newer versions of Linux such as the one you're running; that's a bit safer).

> all I do is click the Wireshark icon in the System Tools menu. Frankly I don't know whether I'm running it as root or not!

You're probably not, which is why no interfaces are showing up.

>> Once you can capture cooked packets, capturing "raw" packets (with all the
>> IEEE802.11 headers etc) should be as simple as checking the "monitor mode"
>> box in the capture options dialogue box, assuming your version of Wireshark
>> is recent enough (which 1.10.* should be).
> 
> For this bit I had to turn on Bluetooth in order to get an interface list on the screen.

The capture mechanism for Bluetooth is different from the capture mechanism for "regular" interfaces such as Ethernet and Wi-Fi; it might not require elevated privileges.

> There is a column titled 'Mon. Mode' (presumably monitor mode), and in that column (against Bluetooth) it shows n/a (ie. not applicable).
> 
> On that same note, my desktop Wireshark v1.11.0 where I'm writing this also shows n/a in the Mon.Mode column of ALL the three available interfaces.  They are:
> 
> eth0		Interface to the big wide Ethernet world.
> any		I don't know what "any" would be

It's a special pseudo-interface that captures incoming and outgoing traffic on all "regular" interfaces (in the sense described above); it doesn't support promiscuous mode or monitor mode.

> So, a Question:
> Can I assume that the n/a means not applicable ONLY because the interfaces I have on this desktop unit are not IEEE802.11 ?

Yes.

> But, the laptop also has its Mon. Mode column marked n/a against Bluetooth.    Doesn't BT come under IEEE802.11 ??

No.  It's a completely different radio-based network technology.

The problem is probably that dumpcap doesn't have permission to open any interfaces other than the Bluetooth interface; the solution is probably the instructions Evan gave:

> 1. Run "sudo dpkg-reconfigure wireshark-common" and select that Yes, non-superusers should be able to capture packets.
> 2. Add your user to the "wireshark" group (not sure if there's a UI for this in settings somewhere, if not, use "usermod -a -G wireshark $username", possibly with sudo in front.
> 3. Log out and back in for that to take effect.

Once you've done that, Wireshark should, on your laptop, should show the "any" and "lo" device, and will probably show an "eth0" device for its Ethernet and a device with some other name, perhaps "wlan0", for your Wi-Fi device.

However, once you've done that, the monitor mode checkbox won't necessarily work; you might have to use the airmon-ng steps.  First make sure the aircrack-ng package (which I think Ubuntu offers) is installed, and then, if you have a wlan0 device, do

	sudo airmon-ng start wlan0

It will probably print out something such as

	Interface   Chipset      Driver
	 wlan0      Intel 4965 a/b/g/n   iwl4965 - [phy0]
	          (monitor mode enabled on mon0)

(although the "Intel 4965 a/b/g/n", in the "Chipset" column, and the "iwl4965", in the "Driver" column, might be different).

The "monitor mode enabled on mon0" means that you must then capture on the "mon0" interface, not on the "wlan0" interface, to capture in monitor mode.

When you're finished capturing, you'd want to turn monitor mode off.  To turn monitor mode off, you would use a command such as

	sudo airmon-ng stop mon0

If, instead, "sudo airmon-ng start wlan0" prints something that doesn't mention a "mon0" device, you should capture on the "wlan0" command and, when done, do

	sudo airmon-ng stop wlan0