This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Monitor Mode problem

0

I'm trying to view the RTS/CTS process that occurs when you lower the RTS threshold on a wireless router. I have to be in monitor mode to be able to view this traffic but I can't seem to be able to get there. I'm looking under "Capture" for an option under promiscuous mode but from the Wireshark User's Guide I see that this option may be available only if you are running Linux or Unix. I've read some other things online that suggest that even if you are running Linux your adapter must still be capable of being configured to accept monitor mode. I've read other posts that suggest that it is possible to get into monitor mode even if you are running Vista, as I am.
I'd really appreciate a clear explanation of what, if anything, I can do to be able to view my captures in monitor mode. Is there a NIC that will allow me to get into monitor mode using Vista? If I add Linux to my PC am I assured of being able to get into monitor mode or will I still have to wait and see if my NIC supports it? Appreciate any help with this from the community.

asked 07 Mar '11, 17:23

tedsini's gravatar image

tedsini
1111
accept rate: 0%


2 Answers:

2

"Unix" is a generic term; it either means "any OS that looks like a Unix", which includes Linux and Solaris and BSD and Mac OS X and AIX and HP-UX and..., or "any OS that's passed that validation suite so the 'Unix' trademark can be used with it", which includes Solaris and AIX and HP-UX and Mac OS X but not Linux or BSD. In either case, there are some Unixes that support monitor mode and that don't.

The actual answer is that the OSes on which you can capture in monitor mode with tcpdump or Wireshark are Linux, *BSD, and Mac OS X, and that's it; you cannot do so on Windows (or on Unixes such as Solaris). All you can do on Windows is buy an AirPcap adapter and use that.

You can capture in monitor mode on Vista and Windows 7 with, for example, Microsoft Network Monitor, as well as with some other network analyzers that cost money. That should work with any wireless network adapter that has a driver that supports "Native WiFi" - you might have to ask the vendor of the adapter (or, if it's built into your machine, the vendor of your machine) whether the driver supports Native WiFi or not.

If you "add" Linux to it, you'll either have to replace Windows with Linux so that you can't run Windows at all, dual-boot Windows and Linux so that you can only run one of them at a time, or use something like VMware or Parallels to run Linux on a virtual machine, but the virtual machine would require that you get something such as a USB Wi-Fi adapter and have Linux use that adapter. All of those would be somewhat inconvenient. If you are running a reasonably recent version of some Linux distribution, most adapters and their drivers will support monitor mode.

For more information, including some links in the Linux section to pages that should indicate which adapters and drivers support monitor mode, see the CaptureSetup/WLAN page of the Wireshark Wiki.

(Promiscuous mode and monitor mode are not the same. Promiscuous mode is supported on networks other than Wi-Fi networks, and it's supported on all OSes on which Wireshark works, including Windows. It may, or may not, work with Wi-Fi adapters; on Windows, it usually doesn't work with Wi-Fi adapters. Monitor mode is specific to Wi-Fi adapters, and is what you'd need if you want to see low-level Wi-Fi details such as RTS and CTS packets.)

answered 07 Mar '11, 17:57

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 07 Mar '11, 18:01

As it turns out, this was why I was able to see multicast packets being received on a dual-boot Linux/Windows machine in Linux, but not in Windows, when going over wireless. Thank you for posting!

(09 Aug '11, 12:52) bch36

0

Install Acrylic WiFi under windows, and then execute Wireshark as an Administrator. Wireshark will be able to capture WiFi packets under windows because Acrylic emulates monitor mode capable cards.

answered 07 Aug '14, 10:41

AcrylicWiFi's gravatar image

AcrylicWiFi
91
accept rate: 0%