Wireshark mailing list archives
Re: Capturing Wi-Fi traffic to/from Modem
From: Guy Harris <guy () alum mit edu>
Date: Sun, 13 Jul 2014 11:08:17 -0700
On Jul 12, 2014, at 9:47 PM, GaryT <gary () taig net> wrote:
On 13/07/14 01:53, Evan Huus wrote:Do you have sufficient permissions to view those interfaces? If you justIt's my laptop, my Wi-Fi capable cable modem, my home office, I have all the authority I need Evan. Nobody else has any access to it.
"Permissions" here doesn't mean "do you, as a human, have permission, granted by another human", it means "does the program doing the capturing have permission, granted by the operating system"?
However, seriously I wonder whether I'm actually using Wireshark as root on this desktop unit. I remember reading some deep and meaningful discussion about the subject and apparently there is a potential security issue running WS as root from a terminal;
There's a potential security issue running *any* code as root, especially code that has to parse data that comes over the network, because a bug in that code could, in some cases, mean that cleverly-formed packets could inject code into the program in question and run it - meaning run it as root. As one of the README files in the Wireshark source says: In versions up to and including 0.99.6, it was necessary to run Wireshark with elevated privileges in order to be able to capture traffic. With version 0.99.7, all function calls that require elevated privileges have been moved out of the GUI to dumpcap. WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT. So, on Linux, the idea is that the dumpcap program, which is part of Wireshark, would run with sufficient privileges to capture packets; it does not parse packets, so there's no packet-parsing code at risk there. Evan's instructions with "sudo dpkg-reconfigure" arrange that dumpcap will run with sufficient privileges to capture (which doesn't mean "root privileges", at least with newer versions of Linux such as the one you're running; that's a bit safer).
all I do is click the Wireshark icon in the System Tools menu. Frankly I don't know whether I'm running it as root or not!
You're probably not, which is why no interfaces are showing up.
Once you can capture cooked packets, capturing "raw" packets (with all the IEEE802.11 headers etc) should be as simple as checking the "monitor mode" box in the capture options dialogue box, assuming your version of Wireshark is recent enough (which 1.10.* should be).For this bit I had to turn on Bluetooth in order to get an interface list on the screen.
The capture mechanism for Bluetooth is different from the capture mechanism for "regular" interfaces such as Ethernet and Wi-Fi; it might not require elevated privileges.
There is a column titled 'Mon. Mode' (presumably monitor mode), and in that column (against Bluetooth) it shows n/a (ie. not applicable). On that same note, my desktop Wireshark v1.11.0 where I'm writing this also shows n/a in the Mon.Mode column of ALL the three available interfaces. They are: eth0 Interface to the big wide Ethernet world. any I don't know what "any" would be
It's a special pseudo-interface that captures incoming and outgoing traffic on all "regular" interfaces (in the sense described above); it doesn't support promiscuous mode or monitor mode.
So, a Question: Can I assume that the n/a means not applicable ONLY because the interfaces I have on this desktop unit are not IEEE802.11 ?
Yes.
But, the laptop also has its Mon. Mode column marked n/a against Bluetooth. Doesn't BT come under IEEE802.11 ??
No. It's a completely different radio-based network technology. The problem is probably that dumpcap doesn't have permission to open any interfaces other than the Bluetooth interface; the solution is probably the instructions Evan gave:
1. Run "sudo dpkg-reconfigure wireshark-common" and select that Yes, non-superusers should be able to capture packets. 2. Add your user to the "wireshark" group (not sure if there's a UI for this in settings somewhere, if not, use "usermod -a -G wireshark $username", possibly with sudo in front. 3. Log out and back in for that to take effect.
Once you've done that, Wireshark should, on your laptop, should show the "any" and "lo" device, and will probably show an "eth0" device for its Ethernet and a device with some other name, perhaps "wlan0", for your Wi-Fi device. However, once you've done that, the monitor mode checkbox won't necessarily work; you might have to use the airmon-ng steps. First make sure the aircrack-ng package (which I think Ubuntu offers) is installed, and then, if you have a wlan0 device, do sudo airmon-ng start wlan0 It will probably print out something such as Interface Chipset Driver wlan0 Intel 4965 a/b/g/n iwl4965 - [phy0] (monitor mode enabled on mon0) (although the "Intel 4965 a/b/g/n", in the "Chipset" column, and the "iwl4965", in the "Driver" column, might be different). The "monitor mode enabled on mon0" means that you must then capture on the "mon0" interface, not on the "wlan0" interface, to capture in monitor mode. When you're finished capturing, you'd want to turn monitor mode off. To turn monitor mode off, you would use a command such as sudo airmon-ng stop mon0 If, instead, "sudo airmon-ng start wlan0" prints something that doesn't mention a "mon0" device, you should capture on the "wlan0" command and, when done, do sudo airmon-ng stop wlan0 ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark Bluetooth Paul Raine (Jul 08)
- Re: Wireshark Bluetooth Guy Harris (Jul 08)
- <Possible follow-ups>
- Re: Wireshark Bluetooth Guy Harris (Jul 11)
- Capturing Wi-Fi traffic to/from Modem GaryT (Jul 12)
- Re: Capturing Wi-Fi traffic to/from Modem Evan Huus (Jul 12)
- Re: Capturing Wi-Fi traffic to/from Modem Guy Harris (Jul 12)
- Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 12)
- Re: Capturing Wi-Fi traffic to/from Modem Evan Huus (Jul 13)
- Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 13)
- Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 27)
- Re: Capturing Wi-Fi traffic to/from Modem Guy Harris (Jul 13)
- Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 14)
- Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 27)
- Re: Capturing Wi-Fi traffic to/from Modem Guy Harris (Jul 27)
- Re: Capturing Wi-Fi traffic to/from Modem GaryT (Jul 28)
- Capturing Wi-Fi traffic to/from Modem GaryT (Jul 12)
- Re: Capturing Wi-Fi traffic to/from Modem Guy Harris (Jul 12)