This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Ralink usb wireless

0

I have a USB Dongle WIFI Device. - DEVICE INSTANCE = USB\VID_148F&PID_3070\1.0
(which translates to)
RAILINK RT3070
Which integrates a CMOS RF, MAC, Baseband and USB interface into a single-chip.
They fully comply with IEEE 802.11a/b/g/n and IEEE 802.11b/g/n
Drivers are Ralink - UTILITY = 4.1.3.0
DRIVER = 3.2.4.0
SDK = 1.1.2.0
Shows up as "Wireless Network Connection 8" at Windoze level.
Wireshark see's it as "IEEE 802.11 Wireless Card(Mircosoft Packet Schedular)"
I am running win/xp pro - ver 2002
service pack 3
Running Wireshark gives an error; - The capture session could not be initiated
(failed to set hardware filter to promiscuous mode).
Please check that
"\Device\NPF_{E5B3D4C9-249B-409F-BDCC-5A9881706AA8}" is the proper interface.
Help can be found at:
http://wiki.wireshark.org/WinPcap
http://wiki.wireshark.org/CaptureSetup
WireShark help seems to indicate, USB devices can't be monitored in Windoze - which leaves me very confused since my Air-Pcap USB DONGLE works just fine under XP.
What does Air-Pcap have Ralink dosen't???
Can Ralink RT3070 device be made to work with WireShark???
GPW would like to Know.

asked 06 Apr '12, 23:29

roboprogramer's gravatar image

roboprogramer
1111
accept rate: 0%

One Answer:

1

It should perhaps also have directed you to http://wiki.wireshark.org/CaptureSetup/WLAN, which says

Windows

Capturing WLAN traffic on Windows depends on WinPcap and on the underlying network adapters and drivers. Unfortunately, most drivers/adapters support neither monitor mode, nor seeing 802.11 headers when capturing, nor capturing non-data frames.

Promiscuous mode can be set; unfortunately, it's often crippled. In this mode many drivers don't supply packets at all, or don't supply packets sent by the host.

If you experience any problems capturing packets on WLANs, try to switch promiscuous mode off. In this case you will have to capture traffic on the host you're interested in.

This is because:

  1. WinPcap uses version 5, rather than version 6, of the "NDIS" interface for connecting to the Windows networking stack, and NDIS version 5 doesn't support "native Wi-Fi" and thus doesn't support "monitor mode";
  2. even if it did support NDIS version 6, Windows XP doesn't, so you'd have to run Vista or 7 to get that;
  3. Microsoft's specifications for Wi-Fi drivers, as I remember, essentially say that promiscuous mode is not allowed to work.

AirPcap devices aren't regular Wi-Fi adapters; they're special devices for passively capturing Wi-Fi traffic, so they don't use the "NDIS" interface, and thus can do things you can't do with WinPcap and regular Wi-Fi adapters.

Other operating systems, such as Linux, and {Free,Net,Open,DragonFly}BSD, don't have those limitations; an RT3070 device might support capturing in monitor mode, depending on the capabilities of the hardware and the driver.

If all you want to do is capture traffic to and from your machine, that should work even on Windows - just turn promiscuous mode off and see whether that works.

(As for USB, if the Wireshark help referred you to, or said something similar to, what http://wiki.wireshark.org/CaptureSetup/USB said, what it's saying is not that you can't capture on USB network adapters - Wireshark doesn't know anything special about USB network adapters, and neither does WinPcap or even the Windows networking stack, so they can't distinguish USB adapters from, for example, PCI adapters - it's saying that you can't capture raw USB traffic at the bus level on Windows the way you can on Linux.)

answered 07 Apr '12, 00:35

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks on the USB and “raw” clarification, that one didn’t sink in at all. I see it now as I read between the lines.

I finally caught the fact that I had set my capture templates for capturing with “promiscuous mode” on as a default.

I haven’t been in that area for a long time and forgot about it. Every adapter I have tried for a very long time

worked with this mode “default on” and the Ralink RT3070 has been the first to complain.

Now that I remember how/where to turned it off, it appears to work ok. Now I can start to figure out why I

can’t get any throughput using this interface.

Sure don’t like the massive duplicate packet storms I am seeing with this USB chip.

Thanks for the reply. It’s solved.

(Hope this formatting holds. It didn't on the question. Hope it's readable if it doesn't.) Here goes.

(11 Apr '12, 22:06) roboprogramer

P.S. how come award points don't seem to work. Could not award any.

(11 Apr '12, 22:13) roboprogramer

@roboprogramer

I converted your "answer" to a comment as this is a Q&A site not a forum, please see the FAQ.

To "award" points, just accept the answer given by clicking on the "check" mark icon at the start of the answer.

(12 Apr '12, 02:27) grahamb ♦