Re: Capturing Wi-Fi traffic to/from Modem

[Guy Harris <guy () alum mit edu>]

On Jul 12, 2014, at 8:40 AM, GaryT <gary () taig net> wrote:

> Searched and found a 6000 word document on the Wireshark.Org site...

Yes, that's what happens when OSes make it complicated to select monitor mode, and people could be using a wide variety 
of different versions of different OSes, and different versions of Wireshark, and ask about capturing on Wi-Fi with all 
of them.

Perhaps the page should be split into subpages for different OSes, with the top-level page linking to the subpages.

> (2)
> identify the Laptop card and drivers etc in order to determine how to get Wireshark capturing 802.11 packets.

If libnl weren't such a pain (see below), libpcap (the library that Wireshark uses for packet capturing) would render 
that irrelevant.

However, even given that:

> From that (above) document I'm aware of many snippets of info, for example:
>
> [The "monitor mode enabled on mon0" means that you must then capture on the "mon0" interface, not on the "wlan0" 
> interface, to capture in monitor mode. To turn monitor mode off, you would use a command such as sudo airmon-ng stop 
> mon0, not sudo airmon-ng stop wlan0.]

airmon-ng should be able to render it mostly irrelevant; read the discussion of it in there and follow the 
admittedly-somewhat-complicated instructions.

> Greatly appreciate any help, pointers, comments.
> Wouldn't it be terrific if someone wrote, "All you need to do is..."

Wouldn't it be terrific if operating system providers didn't make it Really Complicated to turn monitor mode on, so 
that software developers (which, in this question, unfortunately means "me") don't have to write code that goes through 
hoops to do so?

Sadly, they didn't, and I haven't had the time to fix libpcap so that the code I wrote to turn monitor mode on doesn't 
depend on a library with multiple incompatible versions (meaning that it's unsafe to have libpcap use it, as all hell 
breaks loose if a program using libpcap is linked with one version and libpcap is linked with another), to allow that 
code to actually be *present* in Linux distributions (as opposed to being configured out).

So, yes, monitor mode in Wireshark is a bit of a steaming heap of suck on Linux (and, for other reasons, on platforms 
other than OS X).

However, be aware that, on a "protected" Wi-Fi network (one using encryption), it is *BY DESIGN* a bit complicated to 
sniff the network - the "protection" is against people sniffing network traffic.  See

        http://wiki.wireshark.org/HowToDecrypt802.11

for a discussion of *that*.  (If your network *isn't* "protected", somebody near it may be able to capture your network 
traffic; if the traffic is encrypted at a higher level, such as with HTTPS, they shouldn't be able to see anything at 
that level, but they'll still be able to see things at lower levels.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe