First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

if i run a Wi-Fi capture it drops if i login to a SSID

  • retag add tags

I keep getting "The network adapter on which the capture was being done is no longer running; the capture has stopped." I had previously installed wireshark with USB option, as well as SSH and UDP. Aside from this, I had Windows Hyper-V active. I turned off Hyper-V. And, I removed wireshark, USB and WINPCAP as well as SSH and UDP. Then I installed Wireshark again using defaults. The problem remained

Any ideas on how to resolve this to where I can have Wireshark running when I login to my SSID?

Thanks.

>

cquisenb's avatar
1
cquisenb
asked 2017-12-05 14:35:51 +0000, updated 2017-12-05 16:37:38 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

If you want to capture air traffic in monitoring mode, i.e. including the unicast traffic unrelated to the machine on which you capture, not all wireless adapters permit to do that while associated to a particular SSID. If it is enough for you to capture your own traffic, do not activate monitoring mode and you'll be good. If you need both (capture everything and stay connected), your only chance may be to use a second wireless adaptor.

sindy's avatar
6.2k
sindy
answered 2017-12-05 14:47:08 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Your edit of the Question should have rather been a Comment to my Answer, so if you can re-post it as such, the clarity for anyone reading this later would be better - I can then delete this comment and re-post its topic-related part for the same reason of clarity.

To the topic - yes and no. Yes because the expected result for monitoring and promiscuous mode is the same, to make the interface let through to the capturing API also frames not intended for itself. No because the necessary configuration instructions to be sent to the driver are different, hence two different names. You can set a wireless driver/adaptor to promiscuous mode but it will not change anything as the lower layers won't receive the frames anyway; to change this, you need the monitoring mode.

As for the list of supported adaptors, I'm afraid no one tracks one ... (more)

sindy's avatar sindy (2017-12-05 15:54:16 +0000) edit
more
  • delete

I saw your answer:

Thanks. By monitoring mode, I assume you mean promiscuous. My adapter properties is:

Manufacturer: Intel Corporation Description: Intel(R) Dual Band Wireless-AC 8260 Driver Version: 19.50.0.11

Is there a list of support adapters?

cquisenb's avatar cquisenb (2017-12-05 16:37:43 +0000) edit
more
  • delete

By monitoring mode, I assume you mean promiscuous.

Yes and no. Yes because the expected result for monitoring and promiscuous mode is the same, to make the interface let through to the capturing API also frames not intended for itself. No because the necessary configuration instructions to be sent to the driver are different, hence two different names. You can set a wireless driver/adaptor to promiscuous mode but it will not change anything as the lower layers won't receive the frames anyway; to change this, you need the monitoring mode.

Is there a list of supported adapters?

I'm afraid no one systematically tracks that. What matters is even a combination of hardware and driver version, and while some (hw, driver) versions do support monitoring mode while associated, some do not and some do not even support monitoring mode as such.

More than that, the world of wireless ... (more)

sindy's avatar sindy (2017-12-05 19:02:49 +0000) edit
more
  • delete

not all wireless adapters permit to do that while associated to a particular SSID

According to Microsoft's documentation on Network Monitor mode, "While in NetMon mode, the miniport driver can only receive packets based on the current packet filter settings. The driver cannot send packets either on its own or through a call to its MiniportSendNetBufferLists function.", which pretty much means "you can be in monitor mode or you can be associated with a Wi-Fi network, but you can't do both". I.e., it may be a Windows requirement that the driver not allow you to capture in monitor mode while associated with a network, regardless of whether the adapter supports it.

(This is not a limitation imposed by other operating systems. My Mac, running macOS, has no problem doing it.)

Guy Harris's avatar Guy Harris (2017-12-05 23:14:20 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer