This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Unable to capture packets promiscuously on Wi-Fi on Windows

0

I am trying to configure Wireshark to capture all packets on my WiFi network, however I am only packets to and from my computers, in addition to broadcast packets.

I am relatively new to Wireshark but I seem to remember when I used it on my old laptop, Wireshark had this functionality "out of the box".

The interface I am using is a Intel Centrino Wireless-N 1030.

asked 17 Feb '12, 11:39

ethernetdan's gravatar image

ethernetdan
1111
accept rate: 0%

edited 12 Mar '12, 14:43

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


3 Answers:

0

What is your OS? Some wireless card drivers on Windows can't handle promiscuous mode. See the WLAN capture page on the Wiki for more information.

answered 17 Feb '12, 11:45

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I am using Win7 x64. I looked through the page earlier but I was not able to see anything that could help resolve the issue. Is there a mirror or newer version of the list of supported hardware?, it seems the link on the page is dead. Also would running wireshark on a virtualized computer running linux work?

(17 Feb '12, 11:51) ethernetdan

Unfortunately the linux VM would still rely on the Windows card drivers. AFAIK the only guaranteed way to capture WLAN traffic on Windows is with an AirPCap adaptor.

(17 Feb '12, 12:17) grahamb ♦

Or with Microsoft Network Monitor, which, I think, has its own drivers that, on Vista and Windows 7 (but NOT XP!), can use NDIS 6 (unlike WinPcap) and can thus use Native Wi-Fi (if your adapter's driver supports it) and thus can capture on Wi-Fi adapters in monitor mode. (Note that, on Windows, going into monitor mode disconnects you from your wireless network.)

(18 Feb '12, 00:29) Guy Harris ♦♦

You've already asked that question. No need to ask it again.

(12 Mar '12, 14:39) Guy Harris ♦♦

As for the Linux VM, if the VM software you're using allows the virtual machine to access USB hardware on your machine (as, for example, VMware Fusion does), then if you have a USB Wi-Fi adapter that Linux supports in monitor mode (as I do), you could plug that in, have it connect to the virtual machine, and capture in monitor mode on that adapter (as I've done when developing and debugging the libpcap support for monitor mode on Linux and FreeBSD).

(12 Mar '12, 14:42) Guy Harris ♦♦

0

There is one way to capture WiFi packets under Windows with Wireshark. You have to install Acrylic WiFi software ( https://www.acrylicwifi.com/en/acrylic-wifi-free/ )

Acrylic WiFi installs an NDIS driver that captures wlan packets and also adds support to wireshark. Once Acrylic is installed you have to start wireshark as Administrator and select your NDIS WiFi interface

answered 10 Mar '14, 15:55

AcrylicWiFi's gravatar image

AcrylicWiFi
91
accept rate: 0%

-1

AFAIR Wireshark (actually, WinPCAP) was never able to capture packets in promiscous (do you actually mean monitor?) mode on Windows. It was even not able to capture from WiFi interface at all for a long time, because "something is wrong with how windows network drivers work" (according to wipcap faq). At that time, every freaking sniffer was able to capture from Wifi interfaces (e.g., CommView) but not WinPCAP based sniffers.

answered 15 Nov '12, 16:47

xpeh's gravatar image

xpeh
-3335
accept rate: 0%

edited 15 Nov '12, 17:08

What the heck? Why -1?

(16 Nov '12, 13:50) xpeh