On Jul 12, 2014, at 8:53 AM, Evan Huus <eapache@xxxxxxxxx> wrote:
> Once you can capture cooked packets, capturing "raw" packets (with all the IEEE802.11 headers etc) should be as simple as checking the "monitor mode" box in the capture options dialogue box, assuming your version of Wireshark is recent enough (which 1.10.* should be).
It should be, but, sadly, on Linux, it isn't, for annoying complicated reasons having to do with libpcap and libnl. It can probably be made so, but that's going to require a fair bit of work on libpcap for Linux, and I haven't had time to do that - and it'll only help on newer versions of various Linux distributions that have picked up a version of libpcap with those changes, once there's an official release with them.
(It's also not sufficient on some versions of BSD, for annoying reasons having to do with those versions of BSD deciding to completely change the way you do monitor mode. The only platform on which it's sufficient is OS X; fortunately, Apple haven't decided to change the way to turn monitor mode on.)
The workaround, for better or worse, is that you need to use airmon-ng in the fashion described in the Linux section of the 6000-word document in question:
http://wiki.wireshark.org/CaptureSetup/WLAN