LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Wireshark Doesn't capture any packets in monitor mode (https://www.linuxquestions.org/questions/linux-networking-3/wireshark-doesnt-capture-any-packets-in-monitor-mode-4175731472/)

atef23 12-03-2023 04:38 AM
Wireshark Doesn't capture any packets in monitor mode
 
I'm trying to use Wireshark to sniff on my WLAN, and what I've done:
  • Check if my wireless interface support monitor mode.

output from iw list command:
Quote:
* Supported interface modes:

* IBSS
* managed
* AP
* monitor
* mesh point
* P2P-client
* P2P-GO
* P2P-device
  • Stop network managers then kill interfering processes using airmon-ng check kill
  • Enable monitor mode with airmon-ng start wlan0, output:

Quote:
PHY Interface Driver Chipset

phy0 wlan0 ath10k_pci Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter (rev 32) (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0)
  • Show the current status of the wireless interfaces iwconfig:

Quote:
lo no wireless extensions.

wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=-2147483648 dBm
Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on
  • Then start Wireshark sudo wireshark

The Wireshark doesn't recognize the monitoring mode of the interface and doesn't show the checkbox under monitoring column.

My OS details:

Quote:
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)" NAME="Debian GNU/Linux" VERSION_ID="12" VERSION="12 (bookworm)" VERSION_CODENAME=bookworm
Wireshark Version:

Quote:
Wireshark 4.0.11 (Git v4.0.11 packaged as 4.0.11-1~deb12u1). Running on Linux 6.1.0-13-amd64.

jayjwa 12-11-2023 11:11 AM
1 Attachment(s)
You shouldn't need any of the airmon stuff. As long as the interface is up and in use, you should see it appear in the startup screen for Wireshark.

Code:
ip -c link show dev wlan0
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP mode DEFAULT group default qlen 1000
    link/ether 60:14:b3:6f:a3:bf brd ff:ff:ff:ff:ff:ff
I don't use sudo, but have dumpcap set with Linux caps.
Code:
getcap /usr/bin/dumpcap
/usr/bin/dumpcap cap_net_admin,cap_net_raw=eip
If you put the interface into monitor mode, you might get a different device.
Quote:
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0)
Note wlan0mon vs. wlan0. If you are using air-crack, you can't have the interface being a station or an AP if I remember right. It's been awhile since I used air-crack. Pic is mine in AP mode (in use); you click wlan0.

nini09 12-12-2023 08:14 PM
If you just want to capture normal traffic, such IPv4 or ARP, the monitor mode is NOT necessary.


All times are GMT -5. The time now is 07:05 AM.