This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

“Capture session could not be initiated”, but then it can be

0

I'm using wireshark 1.6.7 on Linux Mint 13 "Maya" Xfce on an old Dell 23 bit PC. The Wifi harward is a Linksys USB Wifi adapter (WUSB600N).

First, I run airmon-ng in a terminal session to create the mon0 device that is in monitor mode. Then I run wireshark (not as root because I set unix capabilities for dumpcap).

If I try to start a capture by clicking on mon0 in the "Start Capture on interface" list on the home "page" of wireshark, I get the dialog box saying "Capture session could not be initiated (That device doesn't support monitor mode). Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified." Then I click OK to get rid of the message.

Next, I click on the "Interface List" button or text and the dynamic "Wireshark: Capture Interfaces" dialog box pops up. If I click on the Start button for mon0, I get the same error message and click OK.

Next, I click on the Options button (to the right of the Start button) for mon0 in the same dialog box. This time something strange happens. A different error box appears saying "The capabilities of the capture device 'mon0' could not be obtained (That device doesn't support monitor mode). Please check..." But the error box is immediately covered by the "Wireshark: Capture Options" dialog box (CO box). If I move the CO box and click OK on the error box to get rid of it and then click Start on the CO box, Voila! The capture starts! And yes, it is indeed a monitor-style capture (ie I can see all 802.11 packets).

When I first configured and ran wireshark, I didn't have this problem. But the very first time I exited and restarted wireshark, the problem began.

Why am I getting the "Capture session could not be initiated" error message, when clearly it CAN BE initiated, albeit in a roundabout way (ie only using the Start button on the Capture Options dialog)?

Note that it doesn't matter whether the promiscuous mode radio button in the CO box is checked or not, and of course when I try to check the monitor mode radio button, I get the error message that it can't be set, so the monitor mode radio button remains blank.

Any help on how to eliminate this annoying behavior from an otherwise great experience with wireshark would be greatly appreciated. Thanks!

-- Nick

asked 20 Nov '12, 22:09

ironick's gravatar image

ironick
1111
accept rate: 0%


One Answer:

0

Don't bother checking the monitor mode box (and un-check it if it's checked) if you're capturing on a monitor-mode device. If you do, Wireshark tries to use the libpcap APIs for turning monitor mode on, and those APIs don't work well with mac80211 devices, even on monitor-mode interfaces, if libpcap isn't built with libnl, and on Debian and derivatives such as Ubuntu and Mint, it's not built with libnl. If that's not checked, Wireshark will just try to do a regular capture, which will capture in monitor mode in that device.

I suspect the same would apply to tcpdump, dumpcap, and TShark when using the -I command-line flag to request monitor mode.

This needs to be fixed by changing libpcap to directly talk to netlink sockets rather than using the ever-changing libnl library (where "changing" means "changing in ways that change the API"); the Debian folks are loath to build libpcap with libnl due to the fact that there are, as of now, 3 different incompatible versions of libnl.

answered 22 Nov '12, 10:28

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

As I tried to make clear in my description, I was never able to check the monitor mode box.

(22 Nov '12, 19:25) ironick