Hi there, I'm running the latest version of wireshark with ubuntu. My Wifi is using a "Intel 4965/5xxx" Chipset with an "iwlagn" driver. My Problem is: When I click at the "monitor mode" checkbox in Capture Options the box is checked for less than a second und then unchecked again. I don't recieve any error messages. I tried using airmon-ng and selected mon0 as interface but it didn't work, too. Can you help me? asked 23 Aug '11, 09:27  MyScreenName... edited 08 Dec '11, 01:55  Guy Harris ♦♦ showing 5 of 11 show 6 more comments |
One Answer:
Try this: This should get you into monitor mode. Just check with In the mode attribute “monitor” should be written instead of managed. Hope this helps. answered 13 Jun ‘12, 16:15  pslayer89 My problem was that I was able to see broadcast data like beacons in monitor mode but I could not get any HTTP request. Tests where done with my smartphone connected to an open hotspot. The solution was to set WiFi channel to the hotspot one! Like @pslayer89 said, I did iwconfig wlan0 channel 6 in my case and it worked :) (10 Dec ‘13, 08:06) baptx |
What kernel version are you running, and what version of libpcap is Wireshark built with? ("uname -sr" for the first; "wireshark -v" for the second.) According to http://intellinuxwireless.org/, the driver has been in the mainline kernel since 2.6.24, and the version in the 2.6.32.4 in the
iwlwifidirectory appears to have monitor-mode support.What happened with airmon-ng? What happens if you try, for example,
tsharkwith the-Iflag?kernel version: Linux 2.6.38-11-generic-pae
libpcap version: 1.1.1 (with libz 1.2.3.4, with POSIX capabilities (Linux), without libpcre, with SMI 0.4.8, with c-ares 1.7.3, with Lua 5.1, without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Mar 18 2011 15:44:36), without AirPcap.)
Output for tshark -I:
[email protected]:~$ sudo tshark -I
tshark: Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
tshark: The capture session could not be initiated (That device doesn't support monitor mode).
Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.
0 packets captured
airmon-ng:
[email protected]:~$ sudo airmon-ng start wlan0
Found 5 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them!
PID Name 608 avahi-daemon 609 avahi-daemon 610 NetworkManager 805 wpa_supplicant 1868 dhclient Process with PID 1868 (dhclient) is running on interface wlan0
Interface Chipset Driver
wlan0 Intel 4965/5xxx iwlagn - [phy0] (monitor mode enabled on mon0)
[email protected]:~$ iwconfig lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11abgn ESSID:"fritzBOX"
Mode:Managed Frequency:2.472 GHz Access Point: BC:05:43:15:C3:8E
Bit Rate=117 Mb/s Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off Power Management:off Link Quality=61/70 Signal level=-49 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:19309 Invalid misc:840 Missed beacon:0
mon0 IEEE 802.11abgn Mode:Monitor Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off Power Management:off
After that I selected mon0 as interface in wireshark but coulden't check the "monitor mode" checkbox, too.
On what device are you trying to capture in monitor mode? eth0, wlan0, or mon0?
Sorry for the late answer, i was on vacation. I tried both wlan0 and mon0!
I'm seeing the exact same behavior. I've got a Centrino Advanced-N 6205 chipset with the iwlagn driver. Kernel version is 3.0.0-12-generic, Wireshark is 1.6.2, and libpcap 1.1.1
Trying to capture on wlan0, and I even brought the interface down and put it in Monitor mode via the cl (sudo iwconfig wlan0 mode monitor). But when I go into Wireshark and try to select the monitor mode checkbox, I find it stays checked for ~1 second, then unchecks itself.
Try uninstalling and reinstalling aircrack-ng, there was a glitch in recent Centrino wireless NICs not being able to cope with certain patched drivers.
Afterwards go for airmon-ng start <whatever> and then (!!!) airodump-ng mon0
Maybe that helps - id did for my 6200-N / 4965
I am having the exact same issue and have been for a while. I'm not using airmon. I am getting an error related to the GUI references. Hopefully if I can somehow manage to fix that, the problem will subside. Please, please let us know if you find out the answer.
What happens if you aren't running NetworkManager? I've seen postings on the Web that indicate that it "helpfully" turns monitor mode off in some cases, e.g. this Ubuntu Forums post ("That's when NetworkManager kicks in and disables monitor mode.") and this aircrack-ng forum post.
I have the same problem on Debian, described here: http://ask.wireshark.org/questions/7618/monitor-mode-checkbox-not-working
What happened when you did
sudo airmon-ng start wlan0and then tried to capture onmon0? Don't worry about the "monitor mode" checkbox when you do that, just try capturing; does it capture in monitor mode?And what does
ldd /usr/lib/libpcap.soprint?