WLAN monitor mode: check box won't stay checked
I'm running Wireshark 3.2.3 on Linux Cinnamon Mint.
uname -a returns: Linux martin-mint 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
wireshark -v returns
Wireshark 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)
Copyright 1998-2020 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.12.8, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with GLib 2.64.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares
1.15.0, with Lua 5.2.4, with GnuTLS 3.6.13 and PKCS #11 support, with Gcrypt
1.8.5, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.40.0, with
brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.10, with
QtMultimedia, without automatic updates, with SpeexDSP (using system library),
with SBC, with SpanDSP, without bcg729.
Running on Linux 5.4.0-88-generic, with Intel(R) Core(TM) i3-2120T CPU @
2.60GHz (with SSE4.2), with 3802 MB of physical memory, with locale en_GB.UTF-8,
with libpcap version 1.9.1 (with TPACKET_V3), with GnuTLS 3.6.13, with Gcrypt
1.8.5, with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0 loaded).
My wireless adaptor is Realtek 8811CU and this appears to work OK: I can connect to a network and browse the web using it.
iw dev initially returns
phy#0
Interface wlx000f00[redacted]
ifindex 3
wdev 0x1
addr 00:0f:00:[redacted]
type managed
txpower 12.00 dBm
but when I run sudo iw dev wlx000f00[redacted] set monitor none, "iw dev" returns
phy#0
Interface wlx000f00[redacted]
ifindex 3
wdev 0x1
addr 00:0f:00:[redacted]
type monitor
txpower 12.00 dBm
So it looks as if the adaptor is now in monitor mode.
I start Wireshark (sudo wireshark) and select Capture | Options. The WLAN adaptor now has a check box in the column "Monitor" which is not present if the adaptor is in managed mode.
But as soon as I check the Monitor box, it unchecks itself. Promiscuous mode is enabled for all adaptors.
What am I doing wrong?
I'm tearing my hair out trying to find a way to wireshark the traffic between an Android phone and the internet to work out why no browser on the phone (Firefox, Dolphin, Chrome) can browse to a specific web site even though:
- it can browse all other sites
- Windows and Linux computers can browse to the site.
Hence the need to wireshark the wireless network that the phone is connected to (in the absence of Wireshark for Android!!!!!!!!!!!). I gather that Wireshark for Linux can use monitor mode whereas Wireshark for Windows ...
Comments
Did you disable the NetworkManager? Also make sure other system services are not using the adapter such as hostapd or wpa_supplicant. The aircrack-ng suite of tools includes airmon-ng which can help prep an interface for monitor mode capture.
Others have had trouble with that chipset family. Unfortunately, usage in managed mode does not necessarily imply functioning monitor mode support.
You can avoid this wifi-specific problem all together by capturing the wired traffic at the other side of the AP or any where along the wired path as it travels to the destination.
If I connected a network switch between the AP and the router, and connected a Linux PC to another Ethernet port on the switch, wouldn't I fall foul of the switch doing its job correctly by not echoing traffic onto the monitoring leg unless it was to/from a device on that leg? At least with wifi, it's all one big network with no filtering, so in theory any computer connected by wifi should see all the traffic to/from other computers on the wifi - as long as Wireshark and the adaptor are in monitor mode as well as promiscuous mode. I've learned something: I though promiscuous mode was sufficient with LAN monitors. Mind you, when I used to use a Sniffer (TM) in the 1990s it was on thin Ethernet (coax cable with T pieces and terminators) so there was no filtering - all traffic was available ... (more)
And you can properly decrypt the traffic (your wifi is using WPA2 or better, right?!), manage the packet loss that may occur from the sniffer system, and have a wifi capture system that is capable enough to pick up the traffic in question, assuming already that monitor and promisc mode are in place and functioning.
Yes, for wired capture with a switch, it does take a tap of some sort. On Amazon they are less than $19 so access is straight forward. Most professional enterprise infrastructure typically has the capability already but for home use, it is a little more unusual to have equipment with this capability already.