Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How Wireshark supports monitor mode for WLAN 802.11 adapter in Windows?

From: Yang Luo <hsluoyb () gmail com>
Date: Fri, 1 Jan 2016 22:11:23 +0800
Hi Alexis,

In
https://github.com/wireshark/wireshark/blob/98f64de11525667b3f6b0a5bd7d5a5a8eeeb2ad4/cmake/modules/FindPCAP.cmake,
I found that if WIN32 macro is defined, HAVE_PCAP_CREATE will never be set
as below:
if( WIN32 ) # # This is always the case with WinPcap. #
set(CAN_SET_CAPTURE_BUFFER_SIZE
TRUE)else() check_function_exists( "pcap_create" HAVE_PCAP_CREATE ) if (
HAVE_PCAP_CREATE ) # # For libpcap, we can set the buffer size if we have
pcap_create(). # set( CAN_SET_CAPTURE_BUFFER_SIZE TRUE ) endif()endif()

So I think a suitable modification would be adding check_function_exists(
"pcap_create" HAVE_PCAP_CREATE ) to Win32 too, as below:
if( WIN32 )
  #
  # This is always the case with WinPcap.
  #
*  check_function_exists( "pcap_create" HAVE_PCAP_CREATE )
<----------------- add this*
  set(CAN_SET_CAPTURE_BUFFER_SIZE TRUE)
else()
  check_function_exists( "pcap_create" HAVE_PCAP_CREATE )
  if ( HAVE_PCAP_CREATE )
    #
    # For libpcap, we can set the buffer size if we have pcap_create().
    #
    set( CAN_SET_CAPTURE_BUFFER_SIZE TRUE )
  endif()
endif()

As WinPcap always has *pcap_create *function, so *HAVE_PCAP_CREATE *will
always be set. In Wireshark the monitor UI elements like buttons will
always show up. I think this is inevitable as this is a compile-time option
instead of a run-time option. If a user clicks this button without a
monitor-supported NIC, we just show him the error messagebox. How about
this processing?


On Wed, Dec 30, 2015 at 9:38 PM, Alexis La Goutte <alexis.lagoutte () gmail com

wrote:



Hi Yang,

Good idea ! (i like)

There is a "Monitor" column on Wireshark but need to have
SHOW_MONITOR_COLUMN (HAVE_PCAP_CREATE) enable (see
ui/qt/capture_interfaces_dialog.cpp )

But the column will look no available on Windows...

Cheers


On Wed, Dec 30, 2015 at 8:29 AM, Yang Luo <hsluoyb () gmail com> wrote:


Hi list,

I am considering adding native 802.11 packet capturing support (including
management and control frames) in Npcap. This is possible because Microsoft
Network Monitor already implements this feature for Vista and later.

To enable these packets' capturing, we need to switch on the Wi-Fi
adapter's monitor mode. With the help of Guy (
http://stackoverflow.com/questions/34507789/how-to-enable-802-11-monitor-mode-dot11-operation-mode-network-monitor-in-a-nd),
I know some stuffs about it. In NDIS side, there's an OID called *OID_DOT11_CURRENT_OPERATION_MODE
*to set and get the current operation mode of the adapter. Possible
values are *DOT11_OPERATION_MODE_NETWORK_MONITOR *(monitor mode) and *DOT11_OPERATION_MODE_EXTENSIBLE_STATION
*(non-monitor mode). There's no way to check whether an adapter supports
monitor mode or not.

In Npcap's libpcap/wpcap part, I have added the monitor mode support by
changing two places, I don't know if this is the right way:

1) *pcap_activate_win32 *function in \wpcap\libpcap\pcap-win32.c:
https://github.com/nmap/npcap/blob/master/wpcap/libpcap/pcap-win32.c
Line 569

if (p->opt.rfmon) {
/*
* No monitor mode on Windows XP and earlier.  It could be done on
* Vista with drivers that support the native 802.11
* mechanism and monitor mode.
*/
DOT11_CURRENT_OPERATION_MODE operation_mode;
operation_mode.uCurrentOpMode = DOT11_OPERATION_MODE_NETWORK_MONITOR;
if (pcap_oid_set_request_win32(p, OID_DOT11_CURRENT_OPERATION_MODE,
&operation_mode, sizeof(DOT11_CURRENT_OPERATION_MODE)) != 0)
return (PCAP_ERROR_RFMON_NOTSUP);
}

So instead of originally return (PCAP_ERROR_RFMON_NOTSUP);, this code
will set the monitor mode of the adapter.

2) *pcap_cant_set_rfmon *function in wpcap\libpcap\pcap.c:
https://github.com/nmap/npcap/blob/master/wpcap/libpcap/pcap.c
Line 98

/*
 * For systems where rfmon mode is never supported.
 */
static int
pcap_cant_set_rfmon(pcap_t *p _U_)
{
return (1);
// return (0);
}

I changed this function to always returning 1, which means "supported". I
know here I should check whether the adapter supports the monitor mode, but
I found no way to check. All I can do is to get/set the current mode using
the OID way above.

After all these changes, there's no change in Wireshark, I didn't find a
place to switch on/off the monitor mode like Microsoft Network Monitor. So
I doubt whether Wireshark supports the monitor mode of Wlan in Windows? And
how Wireshark UI make use of the monitor mode? Thanks.


Cheers,
Yang


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe




___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: