Wireshark-users: Re: [Wireshark-users] Trace wifi

Date: Thu, 6 Dec 2007 09:17:49 +1100
On Dec 5, 2007 6:59 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> hce wrote:
> > On Dec 5, 2007 2:41 PM, hce <webmail.hce@xxxxxxxxx> wrote:
>
> > My applology, the wireshark-0.99.6 is running on linux FC6. And it is
> > just capturing wifi data on its wifi port (will be required to capture
> > all other traffic as well).
>
> I.e., it's only capturing data frames, not management frames?

I would like to capture every frames including management frames if it works.

Initially, I need to capture data similar to following example:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Network_Join_Nokia_Mobile.pcap

> To capture management frames, you'll have to put the adapter into
> monitor mode.
>
> See
>
>         http://wiki.wireshark.org/CaptureSetup/WLAN#head-bb8373ef4903fe9da2b8375331726541fb1ad32d
>
> for information on putting the adapter into monitor mode.
>
> > The libpcap version I used is libpcap-0.9.4-11.fc6.i386.rpm. How can I
> > check whether this version supports 802.11 or not?
>
> 0.9.4 supports 802.11.

That is good news.

> > I configured with Link-layer header type: Ethernet (it can only select
> > either Ethnernet or Data Over Cable Service Interface) and with
> > Capture packets in promiscuous mode (I tried to turn promiscuous mode
> > off, not work either). The frame only include IEEE 802.3 Ethnernet.
>
> Linux drivers that support monitor mode generally only provide 802.11
> headers in monitor mode.

I'll be happy if I can get 802.11 shown above example in monitor mode.

> > I checked to the document, it says  "This would probably require that
> > you capture in promiscuous mode or in the mode called "monitor mode"
> > or "RFMON mode". Where can I found monitor mode or RFMON mode in
> > Capture Option?
>
> It's not in the (current) Capture Options dialog.  It might get added at
> some point, for at least some adapters on Linux
> ({Free,Net,Open,DragonFly}BSD handle monitor mode a bit more cleanly).
>
> Therefore, you'll have to turn monitor mode on from the command line;
> see the link above for information on how to do that, at least for some
> adapters; what type of 802.11 adapter do you have on your machine?

Dlink DWL-G520 B version, an Atheros based card and running on
madwifi. I checked above link, it does not mention Dlink card. Please
also see following commands to load the wifi module and to configure
the wifi driver. One thing might be missing is to call dpchd after
wpa_supplicant, but I don't know how to do it. In wlanconfig it did
call the monitor for the ath0 port, is it what you mentioned the
monitor mode? I have to say it is my first time to use madwifi and
wireshark to capture 802.11, please correct me any mistake here.

# modprobe ath_pci

# wlanconfig ath0 create wlandev wifi0 wlanmode monitor

# ifconfig ath0 up

# wpa_supplicant -Dwext -iath0 -c /etc/wpa_supplicant.conf &

# wireshark

Thank you.

Kind regards,

Jim