Wireshark-users: Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
From: GaryT <gary@xxxxxxxx>
Date: Mon, 28 Jul 2014 00:12:56 +1000
Two weeks ago, on 14/07/14 04:08, Guy Harris wrote: [BIG SNIP]
The problem is probably that dumpcap doesn't have permission to open any interfaces other than the Bluetooth interface; the solution is probably the instructions Evan gave:
Yes, Evan's code worked as he expected.
1. Run "sudo dpkg-reconfigure wireshark-common" and select that Yes, non-superusers should be able to capture packets. 2. Add your user to the "wireshark" group (not sure if there's a UI for this in settings somewhere, if not, use "usermod -a -G wireshark $username", possibly with sudo in front. 3. Log out and back in for that to take effect.
Once you've done that, Wireshark should, on your laptop, should show the "any" and "lo" device, and will probably show an "eth0" device for its Ethernet and a device with some other name, perhaps "wlan0", for your Wi-Fi device.
Yes, it did.After I ran Evan's code, logged out and back, starting Wireshark produced a nice surprise. Suddenly I had a total of seven possible interfaces. The screen showed six columns of values for each interface and from there on everything was GUI. There was no need for any more manual entry. However, I did test it later with manual entry to see what would happen and it produced some surprising results.
I've provided an amount of detail here because you guys are for ever helping people and it may assist you to know precisely what happened when I followed your suggestions. The attached text file contains all the interface detail. But, refer only to Part 1 at this stage.
However, once you've done that, the monitor mode checkbox won't necessarily work; you might have to use the airmon-ng steps. First make sure the aircrack-ng package (which I think Ubuntu offers) is installed, and then, if you have a wlan0 device, do sudo airmon-ng start wlan0
It wasn't installed and I had to download it before proceeding.When I ran 'sudo airmon-ng start wlan0' I was presented with the following message:
Found 5 processes that could cause trouble If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! Then it listed 5 names and PIDs, commencing with PID Name 966 avahi-daemon and ended up with Monitor Mode enabled as you've described here in the next few lines. Chipsets and drivers were different.
It will probably print out something such as Interface Chipset Driver wlan0 Intel 4965 a/b/g/n iwl4965 - [phy0] (monitor mode enabled on mon0)
[snip]
The "monitor mode enabled on mon0" means that you must then capture on the "mon0" interface, not on the "wlan0" interface, to capture in monitor mode.
This presents a bit of a dilemma. You used the words:
"you must then capture on the 'mon0' interface"
Two scenarios exist now. Should I:
(a) Use the GUI screen (as per my initial experience) and enable
Monitor Mode through that interface.
(b) Enable Monitor Mode manually
i.e. sudo airmon-ng start wlan0
They appear to finish up with the same result, EXCEPT, when I start WS
after having enabled Monitor Mode manually, it then has an extra
interface, Mon0. See attached text file 'interfaces.txt' Part 2.
The screen display shows the interface named 'Mon0' as disabled and you can 'enable' it in the same manner as you do with wlan0. In fact, when experimenting I enabled Monitor Mode (Col 5) on both the Mon0 and wlan0 interfaces. It seems to me that SHOULD NOT have been allowed to happen.
I have captured packets under both wlan0 with Monitor Mode enabled and Mon0 with monitor mode enabled. They appear to have no significant differences but my question is, "which should I use, the Mon0 interface or the wlan0 with monitor mode enabled ??
It may just come down to going with either the GUI or the manual method but whatever the case, shouldn't there be code to prohibit starting up an interface when it is already operating.
At this point I will send these messages, rather than trying to solve problems that might not exist.
Many thanks GaryT
INTERFACES PART 1
=================
If the laptop is not connected to somewhere via Wi-Fi, wlan0 does not appear. (I 'was' connected on the first attempt.)
When I clicked the mouse on the word "disabled" in column 5, Wireshark opened up an editbox titled "Edit Interface Settings" and it contained all the possible configuration options for wlan0 including setting promiscious mode, filter options etc.
(more on wlan0 below)
***************************************************************************************************************
Interface Column 1 Col 2 Col 3 Col 4 Col 5 Col 6
name Link Layer Header Prom Mode Snaplen[B] Buffer[MiB] Mon Mode Capture Filter
========= ================= ========= ========== =========== ======= ==============
eth0 Ethernet enabled default 2 n/a
wlan0 Ethernet ** enabled default 2 disabled
xxx.xxx.x.xx
<mac addr>
bluetooth Bluetooth HCI UART enabled default 2 n/a
transport layer
plus pseudo header
nflog Linux Netfilter enabled default 2 n/a
log messages
nfqueue Raw IPv4 enabled default 2 n/a
any Linux cooked enabled default 2 n/a
lo Ethernet enabled default 2 n/a
** wlan0 varies according to the situation.
--------------------------------------------
If I start WS when NOT connected via Wi-Fi, wlan0 does not appear (nor does Bluetooth for that matter).
When I am connected via Wi-Fi, wlan0 appears, Col 5 defaults to 'disabled' and Col 1 shows 'Ethernet'.
Also, it displays the IP address and Mac address under the name.
WHEN I CHANGE Col 5 to 'enabled', Col 1 changes from 'Ethernet' to '802.11 Plus radiotap header'.
****************************************************************************************************************
INTERFACES PART 2
=================
Later, when I started WS after having manually enabled Monitor Mode, the number of available interfaces increased by one and
Mon0 was displayed just below wlan0. It can be 'enabled' by the same method used on wlan0 and opens a similar editbox.
***************************************************************************************************************
Interface Column 1 Col 2 Col 3 Col 4 Col 5 Col 6
name Link Layer Header Prom Mode Snaplen[B] Buffer[MiB] Mon Mode Capture Filter
========= ================= ========= ========== =========== ======= ==============
eth0 Ethernet enabled default 2 n/a
wlan0 Ethernet enabled default 2 disabled
xxx.xxx.x.xx
<mac addr>
Mon0 802.11 Plus enabled default 2 disabled
radiotap header
bluetooth Bluetooth HCI UART enabled default 2 n/a
transport layer
plus pseudo header
nflog Linux Netfilter enabled default 2 n/a
log messages
nfqueue Raw IPv4 enabled default 2 n/a
any Linux cooked enabled default 2 n/a
lo Ethernet enabled default 2 n/a
**************************************************************************************************************
- Follow-Ups:
- Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
- From: Guy Harris
- Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
- References:
- Re: [Wireshark-users] Wireshark Bluetooth
- From: Guy Harris
- [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
- From: GaryT
- Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
- From: Evan Huus
- Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
- From: GaryT
- Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
- From: Guy Harris
- Re: [Wireshark-users] Wireshark Bluetooth
- Prev by Date: Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
- Next by Date: Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
- Previous by thread: Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
- Next by thread: Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem
- Index(es):