Wireshark-users: Re: [Wireshark-users] cannot capture packets fromwifirouter(Netgear WNDR3700).

From: Philip Anil-QBW348 <anil.philip@xxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 2 Dec 2011 19:14:17 -0500
Title: RE: [Wireshark-users] cannot capture packets fromwifirouter(Netgear WNDR3700).

That worked!
I did a
sudo airmon-ng start wlan0
and then used wireshark to capture on mon0.
I can see the http packets unencrypted.
Much appreciate your help. Blessings!

Anil


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx on behalf of Guy Harris
Sent: Thu 12/1/2011 7:02 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] cannot capture packets fromwifirouter(Netgear WNDR3700).


On Dec 1, 2011, at 3:07 PM, Philip Anil-QBW348 wrote:

> I found the command is: sudo stop network-manager
> However, then I cannot connect to the wifi router wirelessly.

Can you capture on the Wi-Fi network?  If so, perhaps the Wi-Fi adapter+driver doesn't support sniffing in monitor mode (which is what you'll need if you want to capture, on your computer, traffic between your phone and the access point) and remaining associated with the network at the same time.

At least according to

        http://www.linuxwireless.org/en/users/Drivers

the driver for your adapter (Intel Centrino Advanced-N 6200 AGN) is the "iwlagn" driver, but according to

        http://intellinuxwireless.org/

it's the "iwlwifi" driver.  I don't see any file with "iwlagn" in its name in any of the Linux source trees, so maybe the "iwlagn" driver is referring to the "iwl-agn.c" file in the iwlwifi driver or something such as that.

Intel's page appears to suggest that the iwlwifi driver uses the mac80211 framework, and the code in the 2.6.32.4 kernel tree seems to suggest so as well.

I got an email from somebody that speaks of NetworkManager turning monitor mode off from an interface which is using "the old wext stuff", which presumably means "using the Wireless Extensions rather than mac80211".  You were using iwconfig, which is, I think, "the old wext stuff".

The page at

        http://www.linuxwireless.org/en/users/Drivers

says the Intel Centrino Advanced-N 6200 AGN adapter and the "iwlagn" driver do *not* support monitor mode.  However, it says all *other* Intel adapters don't support it, either, but there are some references to it in the 2.6.32.4 kernel iwlwifi driver, so perhaps the linuxwireless.org page is not up to date.

You might try using the airmon-ng script:

        http://www.aircrack-ng.org/doku.php?id=airmon-ng

from the aircrack-ng project. Note the "mac80211 drivers monitor mode" section:

        See mac80211 versus ieee80211 stacks for some background information.

        When using the mac80211 version of a driver, the use of airmon-ng and the aircrack-ng tools are slightly different.

        Running:

         airmon-ng start wlan0
        Gives something like:

         Interface   Chipset      Driver

         wlan0      Intel 4965 a/b/g/n   iwl4965 - [phy0]
                  (monitor mode enabled on mon0)

        Notice that it created "mon0". You must then use "mon0" in all the subsequent aircrack-ng tools as the injection interface.

        To remove monitor mode enter:

         airmon-ng stop mon0

If it succeeds in creating a "mon0" interface, try capturing on that.  (Do *NOT* use iwconfig!)

This may allow you to capture traffic in monitor mode while you're still associated with the network (*IF* the hardware and driver support that, and if NetworkManager doesn't "helpfully" turn monitor mode off).  You'd have to restart NetworkManager and then try the airmon-ng script.

If that works, try removing monitor mode with the "airmon-ng stop mon0" command, and then try running Wireshark and checking the "Monitor mode" checkbox when capturing on wlan0.

Let us know whether any of that works.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe