Wireshark-users: Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem

From: GaryT <gary@xxxxxxxx>
Date: Mon, 28 Jul 2014 00:12:56 +1000
Two weeks ago, on 14/07/14 04:08, Guy Harris wrote:

[BIG SNIP]

The problem is probably that dumpcap doesn't have permission to open any interfaces other than the Bluetooth interface; the solution is probably the instructions Evan gave:

Yes, Evan's code worked as he expected.

1. Run "sudo dpkg-reconfigure wireshark-common" and select that Yes, non-superusers should be able to capture packets.
2. Add your user to the "wireshark" group (not sure if there's a UI for this in settings somewhere, if not, use "usermod -a -G wireshark $username", possibly with sudo in front.
3. Log out and back in for that to take effect.

Once you've done that, Wireshark should, on your laptop, should show the "any" and "lo" device, and will probably show an "eth0" device for its Ethernet and a device with some other name, perhaps "wlan0", for your Wi-Fi device.

Yes, it did.

After I ran Evan's code, logged out and back, starting Wireshark produced a nice surprise. Suddenly I had a total of seven possible interfaces. The screen showed six columns of values for each interface and from there on everything was GUI. There was no need for any more manual entry. However, I did test it later with manual entry to see what would happen and it produced some surprising results.

I've provided an amount of detail here because you guys are for ever helping people and it may assist you to know precisely what happened when I followed your suggestions. The attached text file contains all the interface detail. But, refer only to Part 1 at this stage.


However, once you've done that, the monitor mode checkbox won't necessarily work; you might have to use the airmon-ng steps.  First make sure the aircrack-ng package (which I think Ubuntu offers) is installed, and then, if you have a wlan0 device, do

	sudo airmon-ng start wlan0


It wasn't installed and I had to download it before proceeding.
When I ran 'sudo airmon-ng start wlan0' I was presented with the following message:

   Found 5 processes that could cause trouble
   If airodump-ng, aireplay-ng or airtun-ng stops working after
   a short period of time, you may want to kill (some of) them!

   Then it listed 5 names and PIDs, commencing with
   PID      Name
   966      avahi-daemon

   and ended up with Monitor Mode enabled as you've described here in
   the next few lines.  Chipsets and drivers were different.

It will probably print out something such as

	Interface   Chipset      Driver
	 wlan0      Intel 4965 a/b/g/n   iwl4965 - [phy0]
	          (monitor mode enabled on mon0)
[snip]

The "monitor mode enabled on mon0" means that you must then capture on the "mon0" interface, not on the "wlan0" interface, to capture in monitor mode.

This presents a bit of a dilemma.  You used the words:
     "you must then capture on the 'mon0' interface"

Two scenarios exist now.  Should I:

(a)  Use the GUI screen (as per my initial experience) and enable
     Monitor Mode through that interface.

(b)  Enable Monitor Mode manually
     i.e. sudo airmon-ng start wlan0

They appear to finish up with the same result, EXCEPT, when I start WS after having enabled Monitor Mode manually, it then has an extra interface, Mon0. See attached text file 'interfaces.txt' Part 2.

The screen display shows the interface named 'Mon0' as disabled and you can 'enable' it in the same manner as you do with wlan0. In fact, when experimenting I enabled Monitor Mode (Col 5) on both the Mon0 and wlan0 interfaces. It seems to me that SHOULD NOT have been allowed to happen.

I have captured packets under both wlan0 with Monitor Mode enabled and Mon0 with monitor mode enabled. They appear to have no significant differences but my question is, "which should I use, the Mon0 interface or the wlan0 with monitor mode enabled ??

It may just come down to going with either the GUI or the manual method but whatever the case, shouldn't there be code to prohibit starting up an interface when it is already operating.

At this point I will send these messages, rather than trying to solve problems that might not exist.

Many thanks
GaryT



INTERFACES PART 1
=================

If the laptop is not connected to somewhere via Wi-Fi, wlan0 does not appear. (I 'was' connected on the first attempt.)
When I clicked the mouse on the word "disabled" in column 5, Wireshark opened up an editbox titled "Edit Interface Settings" and it contained all the possible configuration options for wlan0 including setting promiscious mode, filter options etc.
(more on wlan0 below)


***************************************************************************************************************
Interface             Column 1              Col 2       Col 3        Col 4           Col 5       Col 6
name                  Link Layer Header     Prom Mode   Snaplen[B]   Buffer[MiB]     Mon Mode    Capture Filter
=========             =================     =========   ==========   ===========     =======     ==============
eth0                  Ethernet              enabled     default       2              n/a

wlan0                 Ethernet **           enabled     default       2              disabled
xxx.xxx.x.xx
<mac addr>

bluetooth             Bluetooth HCI UART    enabled     default       2              n/a
                      transport layer 
                      plus pseudo header

nflog                 Linux Netfilter       enabled     default       2              n/a
log messages

nfqueue               Raw IPv4              enabled     default       2              n/a

any                   Linux cooked          enabled     default       2              n/a

lo                    Ethernet              enabled     default       2              n/a


**  wlan0 varies according to the situation.
--------------------------------------------
    If I start WS when NOT connected via Wi-Fi, wlan0 does not appear (nor does Bluetooth for that matter).

    When I am connected via Wi-Fi, wlan0 appears, Col 5 defaults to 'disabled' and Col 1 shows 'Ethernet'.
    Also, it displays the IP address and Mac address under the name.

    WHEN I CHANGE Col 5 to 'enabled', Col 1 changes from 'Ethernet' to '802.11 Plus radiotap header'.

****************************************************************************************************************








INTERFACES PART 2
=================

Later, when I started WS after having manually enabled Monitor Mode, the number of available interfaces increased by one and
Mon0 was displayed just below wlan0.  It can be 'enabled' by the same method used on wlan0 and opens a similar editbox.

***************************************************************************************************************
Interface             Column 1              Col 2       Col 3        Col 4           Col 5       Col 6
name                  Link Layer Header     Prom Mode   Snaplen[B]   Buffer[MiB]     Mon Mode    Capture Filter
=========             =================     =========   ==========   ===========     =======     ==============
eth0                  Ethernet              enabled     default       2              n/a

wlan0                 Ethernet              enabled     default       2              disabled
xxx.xxx.x.xx
<mac addr>

Mon0                  802.11 Plus           enabled     default       2              disabled
                      radiotap header

bluetooth             Bluetooth HCI UART    enabled     default       2              n/a
                      transport layer 
                      plus pseudo header

nflog                 Linux Netfilter       enabled     default       2              n/a
log messages

nfqueue               Raw IPv4              enabled     default       2              n/a

any                   Linux cooked          enabled     default       2              n/a

lo                    Ethernet              enabled     default       2              n/a

**************************************************************************************************************