Im trying to use Wireshark to monitor a "Wifi-Direct" data exchange but I hane no success.
Do Wireshark support WiFi-Direct?
I found many p2p_ tags in Wireshark documentation but I fear it may may related to another p2p protocol.
And there is nothing in wiki nor in User's Manual
There are two types of sniffing that can be done on Wi-Fi with a personal computer:
For the first type of sniffing - which would require that you run a capture program, such as Wireshark, on one of the machines involved with the data transfer - you capture on some interface, with "monitor mode" turned off. That will show you all the Data frames that are received by the interface and provided to the host running the capture program, as well as all Data frames that the host running the capture program attempts to transmit on that interface.
I know of no operating systems on which this will provide any Control or Management frames.
The Wi-Fi Direct specification, version 1.9, indicates that at least some of the setup involves Management frames such a Probe Request frames, so you can't see that part.
If it's transferring data, rather than setting up or managing the connection, that should involve Data frames, and thus should show up.
Note, however, that the spec also says that
A P2P Device can operate concurrently with a WLAN (infrastructure network). Such a device is considered a P2P Concurrent Device. The concurrent operation requires a device to support multiple MAC entities. ... The dual MAC functionality can be provided via two separate physical MAC entities each associated with its own PHY entity, two virtual MAC entities over one PHY entity, or any other approach. Implementation of multiple MAC functionality is out of scope of this specification.
and, on at least some operating systems, that might manifest itself as two separate network interface devices for the two MAC entities, even if they're both implemented on one physical Wi-Fi interface ("two virtual MAC entities over one PHY entity"). So, if the machine is associated with a Wi-Fi network and making a Wi-Fi Direct data transfer, you would have to find out how that works on the operating system on which you're doing the transfer and running Wireshark, and you might have to use the appropriate network interface as the capture device.
For the second type of sniffing - which could be done with a machine separate from the two machines doing the transfer, and might be able to be done on one of the machines doing the transfer - you would have to be running on an operating system on which monitor mode is supported, and have a Wi-Fi adapter that supports monitor mode. For information on setting up monitor mode, see the CaptureSetup/WLAN page from the Wireshark Wiki.
In monitor mode, all frames captured by the adapter and provided to the host should be visible (including frames that get an FCS error or other errors), including Control and Management frames.
Unlike non-monitor-mode sniffing, if the network is "protected" - meaning the Data frames, and possibly some Management frames, are encrypted - the frames will be handed to ...
Thanks Guy. I already do WiFi monitoring and I'm familiar with Radiotap and decrypting wifi packets. But I now want to study Wifi-Direct and my questions are about Wireshark. First I'm surprised there is nothing about WiFi-direct in the wiki nor in User's Manual. Is wifi-direct handled by 802.11 dissector? Is there a display filter I can use to select only wifi-direct packets? Do you know a Linux tool to display a list of channels with active wifi-direct conversations?
First I'm surprised there is nothing about WiFi-direct in the wiki nor in User's Manual. Is wifi-direct handled by 802.11 dissector?
WI-Fi Direct is not a separate protocol. The Wikipedia article for Wi-Fi Direct gives an overview, and the Wi-Fi Direct Specification gives the full details. See section 4 for details; Wireshark does have code to dissect the 802.11 Vendor Specific information elements for Wi-Fi P2P.
Is there a display filter I can use to select only wifi-direct packets?
That depends on what you mean by "Wi-Fi Direct packets". Data transfers are no different from any other 802.11 data transfer, so the best thing to do for that would be to look for IP frames sent between the two hosts' IP addresses. If you want the Management frames, you might try wlan.tag.oui == 50:6F:9A && wlan.tag.vendor.oui.type== 0x09.
Comments
There's "support" as in "is able to capture", and there's "support" as in "is able to dissect those aspects of 802.11's packet formats that pertain to WiFi Direct".
About which of those are you asking?
@GuyHarris Thank you Guy. It's possibly my fault if it does not work. Is there a special procedure to start to capture Wifi-Direct? Will the Wifi-Direct packets be interspersed in 802.11 packets?