This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm capturing in monitor mode, but I'm not seeing any packets where the header claims it's a data.

asked 22 Jul '13, 17:53

andyhuang's gravatar image

andyhuang
11113
accept rate: 0%

edited 22 Jul '13, 18:05

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

This is a separate question - the person who asked the question where you added an "answer" that's actually a question never said whether the problem was that they didn't see any data frames or that they saw data frames but they were only dissected as 802.11, not, for example, as HTTP over TCP over IP.

If you're truly having the first problem, that means that you're seeing 802.11 management and control frames, but no data frames, according to the Frame Control field - i.e., the "Type:" subfield of the Frame Control field is either "Management frame" or "Control frame", never "Data frame".

If you're seeing frames where the Frame Control field "Type" subfield says "Data frame", then you're not having the first problem from that question, you're having the second problem from that question.

(22 Jul '13, 18:16) Guy Harris ♦♦

Thank you. I have the FIRST problem, never see "Data frame". My AP is not encrypted, wireshark version is 1.10.0. I can capture beacon frames and control frames.

(23 Jul '13, 19:16) andyhuang

It's probably a driver or adapter problem then. You'd have to ask the adapter vendor or the driver writer.

permanent link

answered 23 Jul '13, 20:07

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I found that when I put the adapter in monitor mode in advance by using iwconfig tools, wireshark can capture all the packages with mac802.11 header in prom mode. But when I use the "monitor mode" checkbox in wireshark, it has the problem described above.Isn't it weird?

(24 Jul '13, 02:37) andyhuang

I infer from "iwconfig tools" that this is on Linux; what type of adapter is it, and what does ldd /usr/lib/libpcap.so print?

(24 Jul '13, 10:33) Guy Harris ♦♦

Yes, I'm on debian wheezy. The adapter is AR242x/AR542x.

    #ldd /usr/lib/x86_64-linux-gnu/libpcap.so
    linux-vdso.so.1 =>  (0x00007fff37d7e000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8b8ece8000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f8b8f0db000)
(24 Jul '13, 17:32) andyhuang

OK, libpcap is not built with libnl, which means the monitor-mode support doesn't work as well as it should. (libpcap needs to talk to netlink directly, so that distributions don't get to choose whether it'll use net link for monitor-mode support or not. That's another project on my overloaded wish list; note that whatever code it uses to talk to netlink must be BSD-licensed....)

It probably has a mac80211 driver, but, as libpcap isn't using libnl, it can't create a mon0 VAP and capture on it, so it's probably relying on some old ioctls that might get undone by "helpful" software.

The checkbox in Wireshark will probably not work until I get around to making libpcap talk directly to netlink, that version of libpcap ends up in an official release, and it gets picked up by various Linux distributions.

(24 Jul '13, 18:11) Guy Harris ♦♦

I'm totally confused now. If the monitor-mode isn't supported well in my situation, how could wireshark capture 802.11 management and control frames? Moreover in the help of iwconfig tools, wireshark seems to work normally, are the packages captured reliable then, or may some other packages be missing?

(24 Jul '13, 21:29) andyhuang

If the monitor-mode isn't supported well in my situation, how could wireshark capture 802.11 management and control frames?

Because not being able to capture data frames in monitor mode doesn't count as performing "well".

Moreover in the help of iwconfig tools, wireshark seems to work normally, are the packages captured reliable then

They're probably captured as reliably as the hardware allows.

(24 Jul '13, 23:47) Guy Harris ♦♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×114

question asked: 22 Jul '13, 17:53

question was seen: 3,585 times

last updated: 24 Jul '13, 23:47

p​o​w​e​r​e​d by O​S​Q​A