Wireshark-users: Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 27 Jul 2014 12:37:10 -0700
On Jul 27, 2014, at 7:12 AM, GaryT <gary@xxxxxxxx> wrote:

> Two scenarios exist now.  Should I:
> 
> (a)  Use the GUI screen (as per my initial experience) and enable
>     Monitor Mode through that interface.
> 
> (b)  Enable Monitor Mode manually
>     i.e. sudo airmon-ng start wlan0

Do (c), and then capture on the interface named "mon0", *without* doing anything to monitor mode on that interface in the GUI.

> They appear to finish up with the same result, EXCEPT, when I start WS after having enabled Monitor Mode manually, it then has an extra interface, Mon0.

Yes, that is *exactly* what should happen if you enable monitor mode manually.

> The screen display shows the interface named 'Mon0' as disabled and you can 'enable' it in the same manner as you do with wlan0.  In fact, when experimenting I enabled Monitor Mode (Col 5) on both the Mon0 and wlan0 interfaces. It seems to me that SHOULD NOT have been allowed to happen.

If we lived in a universe in which OS vendors provided reasonably simple, straightforward, and clean mechanisms by which programs could enable monitor mode on Wi-Fi interfaces, I would be very happy.

Sadly, we do not live in such a universe, which is why I had to write close to 1300 lines of code to do that on Linux...

...and, for interfaces with "modern" drivers ("mac80211" drivers), did so atop libnl, a library that has been through three count 'em three incompatible major versions, such that if libpcap is linked with one version and an application using libpcap is linked with another version, that application crashes, meaning that few if any Linux distributions ship a version of libpcap built with libnl, meaning that few if any Linux distributions allow Wireshark to automatically use the best mechanism for turning monitor mode on.

(Essentially, libpcap, *if* built with libnl, will use the same mechanism airmon-ng uses, which is adapter-independent, so it doesn't have to know the particular ugly set of operations to turn monitor mode on for the particular interface's driver, *and* somehow, I think, manages to keep some annoying daemon processes from "helpfully" turning monitor mode on, because the "wlan0" interface doesn't have it turned on, the "mon0" interface has it turned on, even though they're just two names that ultimately refer to the same physical device.)

> It may just come down to going with either the GUI or the manual method but whatever the case, shouldn't there be code to prohibit starting up an interface when it is already operating.

It would be nice if there were code to do that.  It would be nice if somebody who knows enough to write that code had time to do so....