Wireshark-users: Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem

From: Evan Huus <eapache@xxxxxxxxx>
Date: Sun, 13 Jul 2014 08:47:58 -0400
On Sun, Jul 13, 2014 at 12:47 AM, GaryT <gary@xxxxxxxx> wrote:
Big thank you, Evan.

On 13/07/14 01:53, Evan Huus wrote:
[BIG SNIP]


First step is to be able to use the wifi to e.g. browse the web; it's not
clear from your email if that's even the case. If that's already working,

I have full use of the laptop, full access to the Net, can download, upload, view videos etc.  Have tested the connection with the wife viewing a video on her Samsung Tablet as I was doing the same on the laptop.  Different videos from different locations. I'm happy with the way it works except for the absence of interfaces.  Initially there was Bluetooth and nothing else. Now that I've turned off BT there are no interfaces from which to select.


then capturing "cooked" packets (with all the IEEE802.11 headers,
encryption, etc. stripped and replaced with fake ethernet headers) should
be as simple as pointing Wireshark at your wlan0 interface. If Wireshark
doesn't display any wlan* interfaces even though you have working wifi,
that's *weird* and possibly a bug.

It's nice to know there "should be" an interface.  At least I know now that something really odd is happening.  However, I have a feeling the answer might be contained in that doc I mentioned; it gets into the nitty gritty.   http://wiki.wireshark.org/CaptureSetup/WLAN#Linux


Do you have sufficient permissions to view those interfaces? If you just

It's my laptop, my Wi-Fi capable cable modem, my home office, I have all the authority I need Evan.  Nobody else has any access to it.

However, seriously I wonder whether I'm actually using Wireshark as root on this desktop unit. I remember reading some deep and meaningful discussion about the subject and apparently there is a potential security issue running WS as root from a terminal; all I do is click the Wireshark icon in the System Tools menu. Frankly I don't know whether I'm running it as root or not!  Haven't given it any serious thought until now.   Comment??

That's almost certainly the issue then.
 
installed the default Wireshark (which is actually inherited from Debian,
so Canonical doesn't have much to do with it) then normal users aren't
given permission to capture packets by default. You should follow the
instructions in [1] to give regular users permission to capture packets.

Have downloaded that page [1], made a PDF.  Will read it and hopefully something will gel.... but the old brain is not nimble any more.
 
I believe the short version is:

1. Run "sudo dpkg-reconfigure wireshark-common" and select that Yes, non-superusers should be able to capture packets.
2. Add your user to the "wireshark" group (not sure if there's a UI for this in settings somewhere, if not, use "usermod -a -G wireshark $username", possibly with sudo in front.
3. Log out and back in for that to take effect.



Once you can capture cooked packets, capturing "raw" packets (with all the
IEEE802.11 headers etc) should be as simple as checking the "monitor mode"
box in the capture options dialogue box, assuming your version of Wireshark
is recent enough (which 1.10.* should be).

For this bit I had to turn on Bluetooth in order to get an interface list on the screen.

There is a column titled 'Mon. Mode' (presumably monitor mode), and in that column (against Bluetooth) it shows n/a (ie. not applicable).

On that same note, my desktop Wireshark v1.11.0 where I'm writing this also shows n/a in the Mon.Mode column of ALL the three available interfaces.  They are:

eth0            Interface to the big wide Ethernet world.
any             I don't know what "any" would be
lo  127.0.0.1   The loopback

When running I capture only on eth0.

So, a Question:
Can I assume that the n/a means not applicable ONLY because the interfaces I have on this desktop unit are not IEEE802.11 ?

Yup.

But, the laptop also has its Mon. Mode column marked n/a against Bluetooth.    Doesn't BT come under IEEE802.11 ??   Should it not allow or enable me to select Mon. Mode?

No idea, but it seems reasonable to me that it's wifi-only. Guy might have a better explanation. As Guy pointed out in his reply anyways, that method doesn't work on Linux unfortunately.
 
Evan, I had gone through much of this on my own before writing my first post.  I believe it's possible the Laptop might be to blame, that's why I included the details.  The capture Setup document makes reference to cards and drivers but when reading that doc I encountered many terms, acronyms and other stuff that was completely foreign to me.
That's where/why I need help, guidance, hand holding etc.

Many thanks for helping.
GaryT