Wireshark mailing list archives

Re: Capturing Wi-Fi traffic to/from Modem

From: Evan Huus <eapache () gmail com>
Date: Sat, 12 Jul 2014 11:53:53 -0400

On Sat, Jul 12, 2014 at 11:40 AM, GaryT <gary () taig net> wrote:

On my desktop I have Wireshark Version 1.11.0 running on Linux
2.6.32-55-generic.

I'm slowly moving over to a laptop which of course is Wireless.

The Laptop is:
  ThinkPad R500
  Core 2 Duo P8400
  2.26 GHz
  2048MB RAM
  BIOS V207 (Feb 2009)

Have loaded the default Canonical Wireshark (v1.10.6 from master-1.10)
onto the laptop and found it was monitoring only Bluetooth, and of course,
it captured no packets. There was no option to monitor Wi-Fi traffic. Big
lesson #1.  It's not that simple.

Generally I'm interested only in the traffic to/from the wireless modem
(ie. Internet). Have now switched off Bluetooth, because I don't use it.
I'd also like to know a bit about how to detect and protect from rouge
wireless attacks, if that's at all relevant.

Notwithstanding all that, I want to maintain the capability of connecting
the laptop to my big monitor with perhaps a short Ethernet cable to the
modem. That may be a whole new discussion but learn I must.

Searched and found a 6000 word document on the Wireshark.Org site...


WLAN (IEEE 802.11) capture setup
--------------------------------
The following will explain capturing on 802.11 wireless networks (WLAN).


By the time I read half way through that doc the old head was spinning. So
many things to consider, so many options and possibilities for someone
whose knowledge of Wi-Fi is about as solid as his knowledge of the
atmosphere on Mars.  Memorising, even understanding that overall flow chart
is beyond my current capability.

I need help to discover the card and drivers etc on the laptop and someone
(or some folks) to hold my hand and show me how to:

(1)
identify and obtain the correct version of Wireshark
(Perhaps the current v1.10.6 is enough)


It should be.

(2)
identify the Laptop card and drivers etc in order to determine how to get
Wireshark capturing 802.11 packets.


First step is to be able to use the wifi to e.g. browse the web; it's not
clear from your email if that's even the case. If that's already working,
then capturing "cooked" packets (with all the IEEE802.11 headers,
encryption, etc. stripped and replaced with fake ethernet headers) should
be as simple as pointing Wireshark at your wlan0 interface. If Wireshark
doesn't display any wlan* interfaces even though you have working wifi,
that's *weird* and possibly a bug.

Do you have sufficient permissions to view those interfaces? If you just
installed the default Wireshark (which is actually inherited from Debian,
so Canonical doesn't have much to do with it) then normal users aren't
given permission to capture packets by default. You should follow the
instructions in [1] to give regular users permission to capture packets.

Once you can capture cooked packets, capturing "raw" packets (with all the
IEEE802.11 headers etc) should be as simple as checking the "monitor mode"
box in the capture options dialogue box, assuming your version of Wireshark
is recent enough (which 1.10.* should be).

[1]
http://anonscm.debian.org/viewvc/collab-maint/ext-maint/wireshark/trunk/debian/README.Debian?view=markup

From that (above) document I'm aware of many snippets of info, for example:

[The "monitor mode enabled on mon0" means that you must then capture on
the "mon0" interface, not on the "wlan0" interface, to capture in monitor
mode. To turn monitor mode off, you would use a command such as sudo
airmon-ng stop mon0, not sudo airmon-ng stop wlan0.]

But, learning them all, understanding them and applying them in the right
order is beyond the capacity of this tired old brain.
I can drive nails, as a younger man I designed software for many years but
this little house will be built from strange new materials.

Greatly appreciate any help, pointers, comments.
Wouldn't it be terrific if someone wrote, "All you need to do is..."
GaryT



____________________________________________________________
_______________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=
unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Wireshark Bluetooth Paul Raine (Jul 08)
- Re: Wireshark Bluetooth Guy Harris (Jul 08)
- <Possible follow-ups>
- Re: Wireshark Bluetooth Guy Harris (Jul 11)
  - Capturing Wi-Fi traffic to/from Modem GaryT (Jul 12)
    - Re: Capturing Wi-Fi traffic to/from Modem Evan Huus (Jul 12)
    - Re: Capturing Wi-Fi traffic to/from Modem Guy Harris (Jul 12)
    - Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 12)
    - Re: Capturing Wi-Fi traffic to/from Modem Evan Huus (Jul 13)
    - Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 13)
    - Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 27)
    - Re: Capturing Wi-Fi traffic to/from Modem Guy Harris (Jul 13)
    - Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 14)
    - Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 27)
    - Re: Capturing Wi-Fi traffic to/from Modem Guy Harris (Jul 27)
    - Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 28)

(Thread continues...)