I'm capturing in monitor mode, but I'm not seeing any packets where the header claims it's a data. asked 22 Jul '13, 17:53 andyhuang edited 22 Jul '13, 18:05 Guy Harris ♦♦ |
One Answer:
It's probably a driver or adapter problem then. You'd have to ask the adapter vendor or the driver writer. answered 23 Jul '13, 20:07 Guy Harris ♦♦ I found that when I put the adapter in monitor mode in advance by using iwconfig tools, wireshark can capture all the packages with mac802.11 header in prom mode. But when I use the "monitor mode" checkbox in wireshark, it has the problem described above.Isn't it weird? (24 Jul '13, 02:37) andyhuang I infer from "iwconfig tools" that this is on Linux; what type of adapter is it, and what does (24 Jul '13, 10:33) Guy Harris ♦♦ Yes, I'm on debian wheezy. The adapter is AR242x/AR542x.
(24 Jul '13, 17:32) andyhuang OK, libpcap is not built with libnl, which means the monitor-mode support doesn't work as well as it should. (libpcap needs to talk to netlink directly, so that distributions don't get to choose whether it'll use net link for monitor-mode support or not. That's another project on my overloaded wish list; note that whatever code it uses to talk to netlink must be BSD-licensed....) It probably has a mac80211 driver, but, as libpcap isn't using libnl, it can't create a mon0 VAP and capture on it, so it's probably relying on some old ioctls that might get undone by "helpful" software. The checkbox in Wireshark will probably not work until I get around to making libpcap talk directly to netlink, that version of libpcap ends up in an official release, and it gets picked up by various Linux distributions. (24 Jul '13, 18:11) Guy Harris ♦♦ I'm totally confused now. If the monitor-mode isn't supported well in my situation, how could wireshark capture 802.11 management and control frames? Moreover in the help of iwconfig tools, wireshark seems to work normally, are the packages captured reliable then, or may some other packages be missing? (24 Jul '13, 21:29) andyhuang
Because not being able to capture data frames in monitor mode doesn't count as performing "well".
They're probably captured as reliably as the hardware allows. (24 Jul '13, 23:47) Guy Harris ♦♦ showing 5 of 6 show 1 more comments |
This is a separate question - the person who asked the question where you added an "answer" that's actually a question never said whether the problem was that they didn't see any data frames or that they saw data frames but they were only dissected as 802.11, not, for example, as HTTP over TCP over IP.
If you're truly having the first problem, that means that you're seeing 802.11 management and control frames, but no data frames, according to the Frame Control field - i.e., the "Type:" subfield of the Frame Control field is either "Management frame" or "Control frame", never "Data frame".
If you're seeing frames where the Frame Control field "Type" subfield says "Data frame", then you're not having the first problem from that question, you're having the second problem from that question.
Thank you. I have the FIRST problem, never see "Data frame". My AP is not encrypted, wireshark version is 1.10.0. I can capture beacon frames and control frames.