This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Monitor mode checkbox not working on Debian Sid

0

Hello, I'm using Debian, when I go to "Capture Options" and select the wlan0 interface, if I try to set it to monitor mode clicking on the checkbox "Capture packets in monitor mode", the "Link-layer header type" menu blinks for a second and the checkbox remains blank. The "Link-layer header type" menu shows only two options: "Ethernet" and "DOCSIS", with both options the monitor mode checkbox has the same behaviour. If I do the following:

ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up

then the only option in the "Link-layer header type" menu is "802.11 plus radiotap header" but the behaviour of the monitor checkbox remains the same. Does anyone have any idea about what the problem is? Thanks in advance.

asked 24 Nov '11, 17:38

Rael's gravatar image

Rael
6114
accept rate: 0%

edited 08 Dec '11, 01:56

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Maybe it's important to add that I have the following wireless interface:

[email protected]:~$ lspci

[...]

02:00.0 Ethernet controller: Atheros Communications Inc. AR242x / AR542x Wireless Network Adapter (PCI-Express) (rev 01)

and I'm using the ath5k module which should support monitor mode, according to this list http://linuxwireless.org/en/users/Drivers

(24 Nov '11, 18:03) Rael

Debian lenny, squeeze, wheezy or sid ?

Wireshark from Debian repo or own build? 1.0.2, 1.2.11 or 1.6.3?

(24 Nov '11, 23:48) Jaap ♦

Debian sid, Wireshark from Debian repo. I'm quite sure it's 1.6.3 but I do not have access to my machine at the moment so I can't check.

(25 Nov '11, 04:17) Rael

So what happens if you turn monitor mode off with iwconfig and then install aircrack-ng (the current version for unstable is 1.0~rc3-2) and run airmon-ng start wlan0. Let us know what it prints and, if it prints "(monitor mode enabled on mon0)" amongst its output, try capturing on mon0 rather than wlan0.

(02 Dec '11, 18:40) Guy Harris ♦♦

It prints 3 applications that might interact with the card in monitor mode (NetworkManager, dhclient and wpa_supplicant), so I ran "airmon-ng stop mon0", killed the 3 applications and ran "airmon-ng start wlan0" again. In the capture options for mon0 the "Link-layer header type" menu says "Not supported" and the monitor mode checkbox is grey and it is impossible to select it.

(03 Dec '11, 17:55) Rael
1

So what happens if you restart the three applications, do airmon-ng start wlan0, don't kill any of the applications, start up Wireshark, do Capture -> Options, IGNORE the "Monitor mode" checkbox, and try capturing on mon0?

(03 Dec '11, 20:52) Guy Harris ♦♦

It looks like it works! Thank you very much.

(04 Dec '11, 03:35) Rael

What does ldd /usr/lib/libpcap.so print?

(05 Dec '11, 14:23) Guy Harris ♦♦

[email protected]# ldd /usr/lib/libpcap.so

ldd: /usr/lib/libpcap.so: File o directory non esistente

which is italian for "File not found"

(05 Dec '11, 16:08) Rael

So what does ls /usr/lib/libpcap.* print?

(05 Dec '11, 17:10) Guy Harris ♦♦

[email protected]# ls /usr/lib/libpcap.*

ls: impossibile accedere a /usr/lib/libpcap.*: File o directory non esistente

in english: "ls: unable to access /usr/lib/libpcap.*: File not found"

(05 Dec '11, 17:28) Rael

OK, what is printed if you run ldd on the dumpcap executable that is installed as part of Wireshark? Libpcap has to be hidden somewhere in order to allow Wireshark to capture network traffic at all.

(05 Dec '11, 18:06) Guy Harris ♦♦

Where can I find the dumpcap executable installed as part of Wireshark?

(05 Dec '11, 18:20) Rael

It should be in the same directory as the Wireshark executable.

(05 Dec '11, 18:27) Guy Harris ♦♦

Ok:

[email protected]# which wireshark

/usr/bin/wireshark

[email protected]# ldd /usr/bin/dumpcap

linux-vdso.so.1 =>  (0x00007fff66dff000)
libwsutil.so.1 => /usr/lib/libwsutil.so.1 (0x00007fd23aedf000)
libgthread-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0 (0x00007fd23acda000)
libglib-2.0.so.0 => /lib/x86_64-linux-gnu/libglib-2.0.so.0 (0x00007fd23a9e3000)
libpcap.so.0.8 => /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 (0x00007fd23a7ac000)
libcap.so.2 => /lib/libcap.so.2 (0x00007fd23a5a7000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fd23a38e000)

[...continues on next comment...]

(06 Dec '11, 04:58) Rael

[...continues from previous comment...]

libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd23a171000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd239dd2000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fd239bc9000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fd23998d000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd23b312000)
(06 Dec '11, 04:59) Rael

OK, I guess Sid is using a different pathname scheme for libraries, presumably to better handle running both 32-bit and 64-bit binaries on the same machine. I vaguely remember reading something about Debian adopting a scheme such as that.

What does ldd /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 print?

(06 Dec '11, 10:00) Guy Harris ♦♦

/usr/lib/x86_64-linux-gnu/ is an empty directory, the system is 32 bit so I found the file you suggested inside /usr/lib/i386-linux-gnu, the command prints the following:

[email protected]# ldd /usr/lib/i386-linux-gnu/libpcap.so.0.8
linux-gate.so.1 => (0xb7703000)
libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xb755e000)
/lib/ld-linux.so.2 (0xb7704000)
(06 Dec '11, 16:25) Rael

How can I format my command line output to make it look clearer here?

(06 Dec '11, 16:27) Rael

I'm not sure what "clearer" means; if you mean "how can I make it look like something in a terminal emulator", just put 4 spaces before each line. The syntax used in sites using OSQA, such as ask.wireshark.org, is markdown, and the syntax for code blocks is 4-space indentation.

(06 Dec '11, 22:27) Guy Harris ♦♦

I have exactly the same problem (running on linux mint which is an ubuntu dist., wireshark v1.4.6, installed it just a week ago). Using wlan0, I can only monitor my own traffic. Tried to check the "capture in monitor mode", it blinks and remains blank. Tried to enable the monitor mode via airmon-ng so I get the mon0 interface, I can use it but it does not scan http traffic, shows only IEEE 802.11 as protocol during scanning, and again the "capture in monitor mode" option does not work. Is there something I can do?

(01 Jan '12, 12:25) John mech

Sorry for posting this as an answer, I'm new :P

(01 Jan '12, 17:14) John mech

@John, You should ask a new question instead of piggy-backing off this one. You can always reference this question from your new question. Plus, your question-comment is buried under a mound of comments, so you're less likely to get an answer here.

(01 Jan '12, 18:19) helloworld
showing 5 of 23 show 18 more comments

One Answer:

2

OK, this is a combination of several problems:

  1. Debian sid does not build libpcap 1.1.1 with libnl, which means that libpcap's monitor-mode APIs don't support the Shiny New mac80211 Mechanism, and end up using the old Wireless Extensions stuff;

  2. libpcap 1.1.1's code to use the old Wireless Extension stuff to handle monitor mode had a number of bugs, which means that its monitor-mode APIs don't work correctly when using the old Wireless Extension stuff, and cause dumpcap to report an error;

  3. Wireshark wasn't reporting the error it got from dumpcap in that case - it was briefly disabling the "monitor mode" checkbox (because its attempt to get information such as the link-layer header types in monitor mode failed because libpcap couldn't put the interface in monitor mode), then clearing the checkbox (because it failed to put the interface in monitor mode), and then re-enabling it (because the API it originally used to check whether monitor mode was supported without actually attempting to put the interface into monitor mode said monitor mode is supported).

I've checked into the trunk and 1.6 branches a fix for the third problem; it should now pop up an error message box if you try to check the monitor mode checkbox on platforms with the libpcap problems in question. The error message will refer you to the CaptureSetup/WLAN page in the Wireshark Wiki, but it should really specifically refer you to the Linux section of that page. I'll fix it to do so later. The 1.6 branch changes should also go into 1.4, so they show up in the next 1.4.x release as well as the next 1.6.x release.

I've checked into the libpcap trunk and 1.2 branches a fix for the second problem, so they should show up in any future 1.2.x release (there are enough bug fixes that tcpdump.org should consider doing a 1.2.x release - and announce it so that various OSes pick it up) as well as any 1.3.0 release when it comes out. When that'll happen, I don't know, and I don't know whether any of the Linux distributions with this issue would pick it up as an update to existing releases or whether you'd have to wait for a future release. Given that anything short of Sid appears to have Wireshark 1.2.x as the Wireshark version, people who run into this are probably building Wireshark from source anyway, so they might end up picking up the fix for the third problem - monitor mode won't work well with the checkbox or the -I option, but at least it'll let you know something went wrong and point you at the Wireshark Wiki, which suggests using airmon-ng in that case.

I've sent mail to Romain Francoise, the Debian maintainer for libpcap, about the first problem. Hopefully the fix is as simple as declaring libnl to be one of libpcap's dependencies.

answered 06 Dec '11, 22:42

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%