Hello, I'm trying to capture traffic passing through a Wi-Fi NIC, but with monitor mode off. When I set this up via capture options (pick my en1 interface, disable monitor mode) and click Start, I get a dialog that says this: "Unable to set data link type (IEEE802_11 is not one of the DLTs supported by this device). Please report this to the Wireshark developers. (This is not a crash; please do not report it as such.)" It has been a few months since I've tried to do this, but I am almost certain I used to be able to capture traffic over my 802.11 interface without having to put it into monitor mode. I'm on Mac OS X 10.6.7, Wireshark 1.4.6 installed via MacPorts. Any ideas? Thanks for any help, Smith asked 30 Apr '11, 08:51 klaushergesh... |
One Answer:
In Mac OS X, you can capture on an 802.11 interface without being in monitor mode. However, you cannot, and never were able to, in any version of Mac OS X, capture with 802.11 headers, rather than fake Ethernet headers, if you're not in monitor mode. Wireshark should forcibly set the link-layer type to Ethernet if you disable monitor mode; if it doesn't, file a bug at the Wireshark bugzilla. answered 30 Apr '11, 12:23 Guy Harris ♦♦ |
I'm sorry, perhaps I wasn't clear.
If I start Wireshark, do Capture Options, and select en1 (the typical interface for an on-board AirPort Extreme 802.11 NIC), I am presented with the option to enable / disable "Capture packets in monitor mode". If I have that checkbox checked (monitor mode enabled), I capture the raw 802.11 traffic, as expected.
However, if I deselect the "Capture packets in monitor mode" checkbox, to capture traffic in the pseudo-Ethernet format, and click "Start", I get a dialog with the message I described above:
"Unable to set data link type (IEEE802_11 is not one of the DLTs supported by this device). Please report this to the Wireshark developers. (This is not a crash; please do not report it as such.)"
Should I be seeing this, assuming I only have Wireshark installed?
I have a variety of other MacPorts ports installed, as well as some Wi-Fi programs not from MacPorts (like KisMAC, etc.), and I don't know if one of those is putting something into NKE / protocol stack that might be causing this problem, but before I begin that kind of time investment I wanted to know whether this was supported in the first place.
As another data point, I just tried running "sudo wireshark -i en1 -w foo.pcap", and tcpdump can capture at the Ethernet level:
I guess I have a workaround, but it is a disappointingly limited one, because I cannot take advantage of the live presentation functionality of Wireshark in that mode.
Is there some way to "dump" the driver stack that Wireshark is using? Obviously, the tcpdump is from Mac OS X core installation, whereas my Wireshark is from MacPorts. Perhaps it is the way that libpcap or one of the MacPorts libraries that Wireshark is using is built by MacPorts.
Ugh, more digging. Uninstalled all ports from MacPorts, then re-installed Wireshark. Still had this problem. Curiously, I dug into the wireshark man page, and found that this:
starts Wireshark immediately into a a capture on the 802.11 NIC (en1), but DOES use and present the Ethernet link layer header type, so I am getting the traffic on the Wi-Fi network to which I am connected. Sadly, if I stop and restart the capture, it again gives me the problem I first described. It seems like it is just that Wireshark somehow cannot connect the dots itself.
With the 1.4.6 version from wireshark.org, on 10.6.7, if I fire up Wireshark, set the interface to en1, and un-check the monitor mode checkbox, it forcibly sets the link-layer type to Ethernet (and does not allow it to be changed), and allows me to start a capture.
Try downloading and installing the wireshark.org version, and see whether it works the same way. If so, the macports people probably did something wrong.