Wireshark-users: Re: [Wireshark-users] monitor mode

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 8 Mar 2013 10:50:24 -0800
On Mar 8, 2013, at 1:15 AM, ilaria cianci <ilaria.cianci@xxxxxxxxx> wrote:

> Hi, 
> 
>      as you suggested , I need to use monitor mode capture option. I set my wlan interface in monitor mode, but when I run
> 
> wireshark -i wlan0 -I -k
> 
> I got this error: The capture session could not be initiated (That device doesn't support monitor mode).
> 
> This is the output of the iwconfig command:
> 
> wlan0     IEEE 802.11abgn  Mode:Monitor  Tx-Power=15 dBm   
>           Retry  long limit:7   RTS thr:off   Fragment thr:off
>           Power Management:off
> 
> I use Ubuntu 12.04

...which, being Debian-based, doesn't build libpcap with libnl-${version}, so it doesn't use the new mac80211 stuff to create a monitor-mode "virtual interface" or whatever the heck they call it, and thus fails on some interfaces.

(Getting libpcap to bypass libnl and talk directly to netlink sockets is on my TODO list.)

Try installing aircrack-ng if it's not already installed; here are instructions for how to do it on Ubuntu 12.04:

	http://www.riyazwalikar.com/2010/12/installing-aircrack-ng-on-ubuntu-1204.html

Then do

	sudo airmon-ng start wlan0

That should create a "mon0" interface.  Try capturing on the "mon0" interface, *without* "-I".  Then, when you're done capturing on that interface, do

	sudo airmon-ng stop mon0

to get rid of the "mon0" interface.