Wireshark monitor mode not working

gonny95 · 06-07-2015, 10:34 AM

Distro : Arch Linux x86_64

Hi I'm trying to capture packets with Wireshark in monitor mode.

I ran Wireshark with noraml user and selected interface wlp1s0.
When I pushed the start button, the following error occured:

Code:

Unknown message from dumpcap, try to show it as a string: Can't delete monitor interface mon1 (SIOCGIFINDEX: Bad file descriptor).
Please delete manually.
E

I thought that was permission problem, so I ran Wire shark using sudo but still the same error message box.

Any ideas??

exvor · 06-09-2015, 12:04 AM

Its possible that your interface does not support promiscuous mode.

gonny95 · 06-09-2015, 12:21 AM

Okay.. do you know how to check which modes does the interfaces support?

gonny95 · 06-09-2015, 02:23 AM

My interface do support promiscuous mode
because Wireshark captures packets in promiscuous mode by default.

Also there appears kernel message.

Code:

[Jun 8 14:20] device wlp1s0 entered promiscuous mode

And my interface also seems to support monitor mode.
The problem is I just can't start capturing in monitor mode.

Code:

 iw phy0 info
Wiphy phy0
	max # scan SSIDs: 20
	max scan IEs length: 425 bytes
	Retry short limit: 7
	Retry long limit: 4
	Coverage class: 0 (up to 0m)
	Device supports RSN-IBSS.
	Device supports AP-side u-APSD.
	Supported Ciphers:
		* CCMP (00-0f-ac:4)
		* 00-0f-ac:10
		* TKIP (00-0f-ac:2)
		* GCMP (00-0f-ac:8)
		* 00-0f-ac:9
		* WEP40 (00-0f-ac:1)
		* WEP104 (00-0f-ac:5)
		* CMAC (00-0f-ac:6)
		* 00-0f-ac:13
		* 00-0f-ac:11
		* 00-0f-ac:12
		* WPI-SMS4 (00-14-72:1)
	Available Antennas: TX 0 RX 0
	Supported interface modes:
		 * IBSS
		 * managed
		 * AP
		 * AP/VLAN
		 * monitor
		 * P2P-client
		 * P2P-GO
		 * P2P-device