This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I capture packets between a wireless laptop and a router? (linux)

0

I tried sniffing packets with monitor mode, and I'm not getting the packets between the laptop and the router. I also tried turning off promiscuous mode, but with no success. All of what i'm picking up is just "broadcasts".

Is there something i'm missing? It should be really easy to read packets that are wirelessly transmitted right?

asked 22 May '12, 12:59

Sheep's gravatar image

Sheep
1112
accept rate: 0%

edited 22 May '12, 13:02

what wireless card and driver are you using for the monitor interface? How did you create the monitor interface? There are some issues in having both the client and monitor interface on the same card. Are you doing something in this regard?

(22 May '12, 15:32) srini_wisc

I'm using the ALFA AWUS036NHA which uses the Atheros AR9271 chipset. I'm not sure what drivers it's using, but i'm using backtrack 5 and it comes with the latest drivers I believe.

I created the monitor interface using airmon-ng.

I don't understand your last question. If you mean to ask if i'm using the ALFA for internet AND monitoring purposes. Then no, i'm not. I'm hard wired to a router and I use that to access the internet.

EDIT: The driver it uses is known as "ath9k_htc" on this website. http://linuxwireless.org/en/users/Drivers

(22 May '12, 20:25) Sheep

I havent used ar9271 but I have used other cards with ath9k_htc, using iw and creating a monitor interface seems to work. I set the monitor interface to any channel and i can read the different data packets that are present in the channel.

The following set of commands seems to work:
iw dev wlan0 set type monitor
iw dev wlan0 set channel <chid>
ifconfig wlan0 up.

Does this suffice? or do you have any other needs? Are you monitoring any specific type of channel like HT40(-/+) or something? If so, your monitor interface has to be set to that type using iw.

(22 May '12, 21:04) srini_wisc

I'm getting a "device or resource busy (-16)" error when trying to run iw dev wlan0 set type monitor

And this is when booting into backtrack and doing nothing except going into terminal and typing the command. I don't know how the device is busy when I havn't even done anything with it yet :x

Any solutions for this?

(22 May '12, 21:21) Sheep

you need to bring the interface down and make sure it doesnt try to connect as a station interface when you are setting it in monitor mode. Kindly let me know if it works.

(22 May '12, 21:23) srini_wisc

Seems to be working alright. I've tested packet capturing in wireshark and I'm picking up packets being sent from IP addresses now.

I won't know if it works entirely until tomorrow, seeing as it's 12 at night so there isn't a lot of traffic going on.

I have a few related questions about setting up monitor mode this way.

  1. Do I have to specify a channel? If I don't set a channel, will it automatically capture packets from EVERY channel in it's radius?

  2. Is the reason this works because it DOESN'T create another interface for monitor mode, like airmon-ng does?

(22 May '12, 21:48) Sheep

For question 1. If you dont specify, It would read from channel 1 by default. It will not snoop around for channels. I dont know if you can generalize like you have for the second question. From what I know(I may be wrong here), when a monitor and managed interface are present on the same card, it would act in promiscuous mode, meaning it can only look at traffic to/from the associated AP.

(22 May '12, 22:02) srini_wisc

I hate asking dumb questions, but what command would I use to see packets from all the channels around me?

(22 May '12, 22:23) Sheep

you can only read from one channel at a time.

(23 May '12, 18:18) srini_wisc
showing 5 of 9 show 4 more comments