Discussion:
Wireshark Bluetooth
Paul Raine
2014-07-08 20:35:33 UTC
Permalink
Does anyone know if it's still possible to capture Bluetooth packets using
Wireshark?

- and if so what version of Linux, Wireshark and Libpcap do I need?



___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Guy Harris
2014-07-08 23:57:33 UTC
Permalink
Post by Paul Raine
Does anyone know if it's still possible to capture Bluetooth packets using
Wireshark?
If you mean "capturing third-party Bluetooth traffic" - i.e., traffic other than that sent by and received by your machine - that's possible only with hardware such as Ubertooth:

http://ubertooth.sourceforge.net

If you mean "capturing traffic sent by and received by the machine running Wireshark", I know of no reason why it would have have *stopped* being possible.
Post by Paul Raine
- and if so what version of Linux, Wireshark and Libpcap do I need?
See

http://wiki.wireshark.org/CaptureSetup/Bluetooth

for information on the kernel and libpcap.

From

http://wiki.wireshark.org/CaptureSetup/Bluetooth?action=recall&rev=18

(which is an old page) support for dissecting those captures dates back to at least 2011, so Wireshark 1.6.0 might have been the first release with dissection support to go with the capture support - if not, 1.8.0 probably handles it.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Guy Harris
2014-07-11 22:23:08 UTC
Permalink
This post might be inappropriate. Click to display it.
GaryT
2014-07-12 15:40:32 UTC
Permalink
On my desktop I have Wireshark Version 1.11.0 running on Linux
2.6.32-55-generic.

I'm slowly moving over to a laptop which of course is Wireless.

The Laptop is:
ThinkPad R500
Core 2 Duo P8400
2.26 GHz
2048MB RAM
BIOS V207 (Feb 2009)

Have loaded the default Canonical Wireshark (v1.10.6 from master-1.10)
onto the laptop and found it was monitoring only Bluetooth, and of
course, it captured no packets. There was no option to monitor Wi-Fi
traffic. Big lesson #1. It's not that simple.

Generally I'm interested only in the traffic to/from the wireless modem
(ie. Internet). Have now switched off Bluetooth, because I don't use it.
I'd also like to know a bit about how to detect and protect from rouge
wireless attacks, if that's at all relevant.

Notwithstanding all that, I want to maintain the capability of
connecting the laptop to my big monitor with perhaps a short Ethernet
cable to the modem. That may be a whole new discussion but learn I must.

Searched and found a 6000 word document on the Wireshark.Org site...


WLAN (IEEE 802.11) capture setup
--------------------------------
The following will explain capturing on 802.11 wireless networks (WLAN).


By the time I read half way through that doc the old head was spinning.
So many things to consider, so many options and possibilities for
someone whose knowledge of Wi-Fi is about as solid as his knowledge of
the atmosphere on Mars. Memorising, even understanding that overall
flow chart is beyond my current capability.

I need help to discover the card and drivers etc on the laptop and
someone (or some folks) to hold my hand and show me how to:

(1)
identify and obtain the correct version of Wireshark
(Perhaps the current v1.10.6 is enough)

(2)
identify the Laptop card and drivers etc in order to determine how to
get Wireshark capturing 802.11 packets.

From that (above) document I'm aware of many snippets of info, for example:

[The "monitor mode enabled on mon0" means that you must then capture on
the "mon0" interface, not on the "wlan0" interface, to capture in
monitor mode. To turn monitor mode off, you would use a command such as
sudo airmon-ng stop mon0, not sudo airmon-ng stop wlan0.]

But, learning them all, understanding them and applying them in the
right order is beyond the capacity of this tired old brain.
I can drive nails, as a younger man I designed software for many years
but this little house will be built from strange new materials.

Greatly appreciate any help, pointers, comments.
Wouldn't it be terrific if someone wrote, "All you need to do is..."
GaryT



___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Evan Huus
2014-07-12 15:53:53 UTC
Permalink
Post by GaryT
On my desktop I have Wireshark Version 1.11.0 running on Linux
2.6.32-55-generic.
I'm slowly moving over to a laptop which of course is Wireless.
ThinkPad R500
Core 2 Duo P8400
2.26 GHz
2048MB RAM
BIOS V207 (Feb 2009)
Have loaded the default Canonical Wireshark (v1.10.6 from master-1.10)
onto the laptop and found it was monitoring only Bluetooth, and of course,
it captured no packets. There was no option to monitor Wi-Fi traffic. Big
lesson #1. It's not that simple.
Generally I'm interested only in the traffic to/from the wireless modem
(ie. Internet). Have now switched off Bluetooth, because I don't use it.
I'd also like to know a bit about how to detect and protect from rouge
wireless attacks, if that's at all relevant.
Notwithstanding all that, I want to maintain the capability of connecting
the laptop to my big monitor with perhaps a short Ethernet cable to the
modem. That may be a whole new discussion but learn I must.
Searched and found a 6000 word document on the Wireshark.Org site...
WLAN (IEEE 802.11) capture setup
--------------------------------
The following will explain capturing on 802.11 wireless networks (WLAN).
By the time I read half way through that doc the old head was spinning. So
many things to consider, so many options and possibilities for someone
whose knowledge of Wi-Fi is about as solid as his knowledge of the
atmosphere on Mars. Memorising, even understanding that overall flow chart
is beyond my current capability.
I need help to discover the card and drivers etc on the laptop and someone
(1)
identify and obtain the correct version of Wireshark
(Perhaps the current v1.10.6 is enough)
It should be.
Post by GaryT
(2)
identify the Laptop card and drivers etc in order to determine how to get
Wireshark capturing 802.11 packets.
First step is to be able to use the wifi to e.g. browse the web; it's not
clear from your email if that's even the case. If that's already working,
then capturing "cooked" packets (with all the IEEE802.11 headers,
encryption, etc. stripped and replaced with fake ethernet headers) should
be as simple as pointing Wireshark at your wlan0 interface. If Wireshark
doesn't display any wlan* interfaces even though you have working wifi,
that's *weird* and possibly a bug.

Do you have sufficient permissions to view those interfaces? If you just
installed the default Wireshark (which is actually inherited from Debian,
so Canonical doesn't have much to do with it) then normal users aren't
given permission to capture packets by default. You should follow the
instructions in [1] to give regular users permission to capture packets.

Once you can capture cooked packets, capturing "raw" packets (with all the
IEEE802.11 headers etc) should be as simple as checking the "monitor mode"
box in the capture options dialogue box, assuming your version of Wireshark
is recent enough (which 1.10.* should be).

[1]
http://anonscm.debian.org/viewvc/collab-maint/ext-maint/wireshark/trunk/debian/README.Debian?view=markup
Post by GaryT
[The "monitor mode enabled on mon0" means that you must then capture on
the "mon0" interface, not on the "wlan0" interface, to capture in monitor
mode. To turn monitor mode off, you would use a command such as sudo
airmon-ng stop mon0, not sudo airmon-ng stop wlan0.]
But, learning them all, understanding them and applying them in the right
order is beyond the capacity of this tired old brain.
I can drive nails, as a younger man I designed software for many years but
this little house will be built from strange new materials.
Greatly appreciate any help, pointers, comments.
Wouldn't it be terrific if someone wrote, "All you need to do is..."
GaryT
____________________________________________________________
_______________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
unsubscribe
Guy Harris
2014-07-12 23:40:11 UTC
Permalink
Once you can capture cooked packets, capturing "raw" packets (with all the IEEE802.11 headers etc) should be as simple as checking the "monitor mode" box in the capture options dialogue box, assuming your version of Wireshark is recent enough (which 1.10.* should be).
It should be, but, sadly, on Linux, it isn't, for annoying complicated reasons having to do with libpcap and libnl. It can probably be made so, but that's going to require a fair bit of work on libpcap for Linux, and I haven't had time to do that - and it'll only help on newer versions of various Linux distributions that have picked up a version of libpcap with those changes, once there's an official release with them.

(It's also not sufficient on some versions of BSD, for annoying reasons having to do with those versions of BSD deciding to completely change the way you do monitor mode. The only platform on which it's sufficient is OS X; fortunately, Apple haven't decided to change the way to turn monitor mode on.)

The workaround, for better or worse, is that you need to use airmon-ng in the fashion described in the Linux section of the 6000-word document in question:

http://wiki.wireshark.org/CaptureSetup/WLAN
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
GaryT
2014-07-13 04:47:01 UTC
Permalink
Big thank you, Evan.

On 13/07/14 01:53, Evan Huus wrote:
[BIG SNIP]
Post by Evan Huus
First step is to be able to use the wifi to e.g. browse the web; it's not
clear from your email if that's even the case. If that's already working,
I have full use of the laptop, full access to the Net, can download,
upload, view videos etc. Have tested the connection with the wife
viewing a video on her Samsung Tablet as I was doing the same on the
laptop. Different videos from different locations. I'm happy with the
way it works except for the absence of interfaces. Initially there was
Bluetooth and nothing else. Now that I've turned off BT there are no
interfaces from which to select.
Post by Evan Huus
then capturing "cooked" packets (with all the IEEE802.11 headers,
encryption, etc. stripped and replaced with fake ethernet headers) should
be as simple as pointing Wireshark at your wlan0 interface. If Wireshark
doesn't display any wlan* interfaces even though you have working wifi,
that's *weird* and possibly a bug.
It's nice to know there "should be" an interface. At least I know now
that something really odd is happening. However, I have a feeling the
answer might be contained in that doc I mentioned; it gets into the
nitty gritty. http://wiki.wireshark.org/CaptureSetup/WLAN#Linux
Post by Evan Huus
Do you have sufficient permissions to view those interfaces? If you just
It's my laptop, my Wi-Fi capable cable modem, my home office, I have all
the authority I need Evan. Nobody else has any access to it.

However, seriously I wonder whether I'm actually using Wireshark as root
on this desktop unit. I remember reading some deep and meaningful
discussion about the subject and apparently there is a potential
security issue running WS as root from a terminal; all I do is click the
Wireshark icon in the System Tools menu. Frankly I don't know whether
I'm running it as root or not! Haven't given it any serious thought
until now. Comment??
Post by Evan Huus
installed the default Wireshark (which is actually inherited from Debian,
so Canonical doesn't have much to do with it) then normal users aren't
given permission to capture packets by default. You should follow the
instructions in [1] to give regular users permission to capture packets.
Have downloaded that page [1], made a PDF. Will read it and hopefully
something will gel.... but the old brain is not nimble any more.
Post by Evan Huus
Once you can capture cooked packets, capturing "raw" packets (with all the
IEEE802.11 headers etc) should be as simple as checking the "monitor mode"
box in the capture options dialogue box, assuming your version of Wireshark
is recent enough (which 1.10.* should be).
For this bit I had to turn on Bluetooth in order to get an interface
list on the screen.

There is a column titled 'Mon. Mode' (presumably monitor mode), and in
that column (against Bluetooth) it shows n/a (ie. not applicable).

On that same note, my desktop Wireshark v1.11.0 where I'm writing this
also shows n/a in the Mon.Mode column of ALL the three available
interfaces. They are:

eth0 Interface to the big wide Ethernet world.
any I don't know what "any" would be
lo 127.0.0.1 The loopback

When running I capture only on eth0.

So, a Question:
Can I assume that the n/a means not applicable ONLY because the
interfaces I have on this desktop unit are not IEEE802.11 ?

But, the laptop also has its Mon. Mode column marked n/a against
Bluetooth. Doesn't BT come under IEEE802.11 ?? Should it not allow
or enable me to select Mon. Mode?

Evan, I had gone through much of this on my own before writing my first
post. I believe it's possible the Laptop might be to blame, that's why
I included the details. The capture Setup document makes reference to
cards and drivers but when reading that doc I encountered many terms,
acronyms and other stuff that was completely foreign to me.
That's where/why I need help, guidance, hand holding etc.

Many thanks for helping.
GaryT




___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Evan Huus
2014-07-13 12:47:58 UTC
Permalink
Post by GaryT
Big thank you, Evan.
[BIG SNIP]
First step is to be able to use the wifi to e.g. browse the web; it's not
Post by Evan Huus
clear from your email if that's even the case. If that's already working,
I have full use of the laptop, full access to the Net, can download,
upload, view videos etc. Have tested the connection with the wife viewing
a video on her Samsung Tablet as I was doing the same on the laptop.
Different videos from different locations. I'm happy with the way it works
except for the absence of interfaces. Initially there was Bluetooth and
nothing else. Now that I've turned off BT there are no interfaces from
which to select.
then capturing "cooked" packets (with all the IEEE802.11 headers,
Post by Evan Huus
encryption, etc. stripped and replaced with fake ethernet headers) should
be as simple as pointing Wireshark at your wlan0 interface. If Wireshark
doesn't display any wlan* interfaces even though you have working wifi,
that's *weird* and possibly a bug.
It's nice to know there "should be" an interface. At least I know now
that something really odd is happening. However, I have a feeling the
answer might be contained in that doc I mentioned; it gets into the nitty
gritty. http://wiki.wireshark.org/CaptureSetup/WLAN#Linux
Do you have sufficient permissions to view those interfaces? If you just
It's my laptop, my Wi-Fi capable cable modem, my home office, I have all
the authority I need Evan. Nobody else has any access to it.
However, seriously I wonder whether I'm actually using Wireshark as root
on this desktop unit. I remember reading some deep and meaningful
discussion about the subject and apparently there is a potential security
issue running WS as root from a terminal; all I do is click the Wireshark
icon in the System Tools menu. Frankly I don't know whether I'm running it
as root or not! Haven't given it any serious thought until now. Comment??
That's almost certainly the issue then.
Post by GaryT
installed the default Wireshark (which is actually inherited from Debian,
Post by Evan Huus
so Canonical doesn't have much to do with it) then normal users aren't
given permission to capture packets by default. You should follow the
instructions in [1] to give regular users permission to capture packets.
Have downloaded that page [1], made a PDF. Will read it and hopefully
something will gel.... but the old brain is not nimble any more.
I believe the short version is:

1. Run "sudo dpkg-reconfigure wireshark-common" and select that Yes,
non-superusers should be able to capture packets.
2. Add your user to the "wireshark" group (not sure if there's a UI for
this in settings somewhere, if not, use "usermod -a -G wireshark
$username", possibly with sudo in front.
3. Log out and back in for that to take effect.
Post by GaryT
Once you can capture cooked packets, capturing "raw" packets (with all the
Post by Evan Huus
IEEE802.11 headers etc) should be as simple as checking the "monitor mode"
box in the capture options dialogue box, assuming your version of Wireshark
is recent enough (which 1.10.* should be).
For this bit I had to turn on Bluetooth in order to get an interface list
on the screen.
There is a column titled 'Mon. Mode' (presumably monitor mode), and in
that column (against Bluetooth) it shows n/a (ie. not applicable).
On that same note, my desktop Wireshark v1.11.0 where I'm writing this
also shows n/a in the Mon.Mode column of ALL the three available
eth0 Interface to the big wide Ethernet world.
any I don't know what "any" would be
lo 127.0.0.1 The loopback
When running I capture only on eth0.
Can I assume that the n/a means not applicable ONLY because the interfaces
I have on this desktop unit are not IEEE802.11 ?
Yup.

But, the laptop also has its Mon. Mode column marked n/a against Bluetooth.
Post by GaryT
Doesn't BT come under IEEE802.11 ?? Should it not allow or enable me
to select Mon. Mode?
No idea, but it seems reasonable to me that it's wifi-only. Guy might have
a better explanation. As Guy pointed out in his reply anyways, that method
doesn't work on Linux unfortunately.
Post by GaryT
Evan, I had gone through much of this on my own before writing my first
post. I believe it's possible the Laptop might be to blame, that's why I
included the details. The capture Setup document makes reference to cards
and drivers but when reading that doc I encountered many terms, acronyms
and other stuff that was completely foreign to me.
That's where/why I need help, guidance, hand holding etc.
Many thanks for helping.
GaryT
GaryT
2014-07-13 17:53:57 UTC
Permalink
[SNIP]
Post by Evan Huus
Post by GaryT
However, seriously I wonder whether I'm actually using Wireshark as root
on this desktop unit. I remember reading some deep and meaningful
discussion about the subject and apparently there is a potential security
issue running WS as root from a terminal; all I do is click the Wireshark
icon in the System Tools menu. Frankly I don't know whether I'm running it
as root or not! Haven't given it any serious thought until now. Comment??
That's almost certainly the issue then.
Evan, I think it was my fault for bringing into the discussion a
comparison with my WS v1.11.0 on the desktop. When you wrote that line
I think you were referring to the Wi-Fi on the laptop but I also think
it might apply to both machines.

I have a somewhat decayed memory and often it needs a jolt to catch up
with the world. Just now I had a look at my (desktop unit) users and
groups and found my initial setup; a thing that is never changed and
thought about even less frequently. I had completely forgotten it
existed. I discovered that when setting up I gave myself a limited set
of privileges; also I always have to enter the administrator password in
order to do anything dangerous. I remember at the time concluding it
would be fairly safe.

Does that mean I must give myself a similar set of privileges on the
laptop and make sure I'm able for example to "connect to wireless and
Ethernet networks" and so on?

I haven't been into that part of the current Ubuntu, because I can't
find anything. Why people have to make changes for change's sake is
beyond me. I'm using 10.04 on the desktop and the laptop has the latest
(v14.??) It wastes SO MUCH time learning where things are and then in
my case, remembering it as well!

It's nearly 4.00am here and I have to crash. I have a half written
message to Guy to go but the body is quitting.
Thanks muchly
GT
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
GaryT
2014-07-27 14:11:41 UTC
Permalink
[BIG SNIP]
Post by Evan Huus
Post by GaryT
Have downloaded that page [1], made a PDF. Will read it and hopefully
something will gel.... but the old brain is not nimble any more.
1. Run "sudo dpkg-reconfigure wireshark-common" and select that Yes,
non-superusers should be able to capture packets.
2. Add your user to the "wireshark" group (not sure if there's a UI for
this in settings somewhere, if not, use "usermod -a -G wireshark
$username", possibly with sudo in front.
3. Log out and back in for that to take effect.
It worked, Evan.
First attempt something went wrong, probably typing. Then a couple of
days later I tried again and it worked.
Then I had to drop it again until today.

See my next post re: events that followed - also see text file attached
to that post.

Many thanks
GaryT



___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Guy Harris
2014-07-13 18:08:17 UTC
Permalink
Post by Evan Huus
Do you have sufficient permissions to view those interfaces? If you just
It's my laptop, my Wi-Fi capable cable modem, my home office, I have all the authority I need Evan. Nobody else has any access to it.
"Permissions" here doesn't mean "do you, as a human, have permission, granted by another human", it means "does the program doing the capturing have permission, granted by the operating system"?
However, seriously I wonder whether I'm actually using Wireshark as root on this desktop unit. I remember reading some deep and meaningful discussion about the subject and apparently there is a potential security issue running WS as root from a terminal;
There's a potential security issue running *any* code as root, especially code that has to parse data that comes over the network, because a bug in that code could, in some cases, mean that cleverly-formed packets could inject code into the program in question and run it - meaning run it as root.

As one of the README files in the Wireshark source says:

In versions up to and including 0.99.6, it was necessary to run
Wireshark with elevated privileges in order to be able to capture
traffic. With version 0.99.7, all function calls that require elevated
privileges have been moved out of the GUI to dumpcap.

WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN
THEM AS ROOT.

So, on Linux, the idea is that the dumpcap program, which is part of Wireshark, would run with sufficient privileges to capture packets; it does not parse packets, so there's no packet-parsing code at risk there.

Evan's instructions with "sudo dpkg-reconfigure" arrange that dumpcap will run with sufficient privileges to capture (which doesn't mean "root privileges", at least with newer versions of Linux such as the one you're running; that's a bit safer).
all I do is click the Wireshark icon in the System Tools menu. Frankly I don't know whether I'm running it as root or not!
You're probably not, which is why no interfaces are showing up.
Post by Evan Huus
Once you can capture cooked packets, capturing "raw" packets (with all the
IEEE802.11 headers etc) should be as simple as checking the "monitor mode"
box in the capture options dialogue box, assuming your version of Wireshark
is recent enough (which 1.10.* should be).
For this bit I had to turn on Bluetooth in order to get an interface list on the screen.
The capture mechanism for Bluetooth is different from the capture mechanism for "regular" interfaces such as Ethernet and Wi-Fi; it might not require elevated privileges.
There is a column titled 'Mon. Mode' (presumably monitor mode), and in that column (against Bluetooth) it shows n/a (ie. not applicable).
eth0 Interface to the big wide Ethernet world.
any I don't know what "any" would be
It's a special pseudo-interface that captures incoming and outgoing traffic on all "regular" interfaces (in the sense described above); it doesn't support promiscuous mode or monitor mode.
Can I assume that the n/a means not applicable ONLY because the interfaces I have on this desktop unit are not IEEE802.11 ?
Yes.
But, the laptop also has its Mon. Mode column marked n/a against Bluetooth. Doesn't BT come under IEEE802.11 ??
No. It's a completely different radio-based network technology.
1. Run "sudo dpkg-reconfigure wireshark-common" and select that Yes, non-superusers should be able to capture packets.
2. Add your user to the "wireshark" group (not sure if there's a UI for this in settings somewhere, if not, use "usermod -a -G wireshark $username", possibly with sudo in front.
3. Log out and back in for that to take effect.
Once you've done that, Wireshark should, on your laptop, should show the "any" and "lo" device, and will probably show an "eth0" device for its Ethernet and a device with some other name, perhaps "wlan0", for your Wi-Fi device.

However, once you've done that, the monitor mode checkbox won't necessarily work; you might have to use the airmon-ng steps. First make sure the aircrack-ng package (which I think Ubuntu offers) is installed, and then, if you have a wlan0 device, do

sudo airmon-ng start wlan0

It will probably print out something such as

Interface Chipset Driver
wlan0 Intel 4965 a/b/g/n iwl4965 - [phy0]
(monitor mode enabled on mon0)

(although the "Intel 4965 a/b/g/n", in the "Chipset" column, and the "iwl4965", in the "Driver" column, might be different).

The "monitor mode enabled on mon0" means that you must then capture on the "mon0" interface, not on the "wlan0" interface, to capture in monitor mode.

When you're finished capturing, you'd want to turn monitor mode off. To turn monitor mode off, you would use a command such as

sudo airmon-ng stop mon0

If, instead, "sudo airmon-ng start wlan0" prints something that doesn't mention a "mon0" device, you should capture on the "wlan0" command and, when done, do

sudo airmon-ng stop wlan0
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
GaryT
2014-07-14 07:00:09 UTC
Permalink
Thank you Guy.
I will do all this as soon as possible and report back. And, I promise
not to apply my sense of humour in a serious discussion, ever again.

Will revert ASAP, perhaps 48 hours. Life gets in the way :-)
Again, many thanks.
GaryT
Post by Guy Harris
Post by Evan Huus
Do you have sufficient permissions to view those interfaces? If you just
[BIG SNIP]
Post by Guy Harris
(although the "Intel 4965 a/b/g/n", in the "Chipset" column, and the "iwl4965", in the "Driver" column, might be different).
The "monitor mode enabled on mon0" means that you must then capture on the "mon0" interface, not on the "wlan0" interface, to capture in monitor mode.
When you're finished capturing, you'd want to turn monitor mode off. To turn monitor mode off, you would use a command such as
sudo airmon-ng stop mon0
If, instead, "sudo airmon-ng start wlan0" prints something that doesn't mention a "mon0" device, you should capture on the "wlan0" command and, when done, do
sudo airmon-ng stop wlan0
--<0>--






___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
GaryT
2014-07-27 14:12:56 UTC
Permalink
Two weeks ago, on 14/07/14 04:08, Guy Harris wrote:

[BIG SNIP]
Yes, Evan's code worked as he expected.
Post by Guy Harris
1. Run "sudo dpkg-reconfigure wireshark-common" and select that Yes, non-superusers should be able to capture packets.
2. Add your user to the "wireshark" group (not sure if there's a UI for this in settings somewhere, if not, use "usermod -a -G wireshark $username", possibly with sudo in front.
3. Log out and back in for that to take effect.
Once you've done that, Wireshark should, on your laptop, should show the "any" and "lo" device, and will probably show an "eth0" device for its Ethernet and a device with some other name, perhaps "wlan0", for your Wi-Fi device.
Yes, it did.

After I ran Evan's code, logged out and back, starting Wireshark
produced a nice surprise. Suddenly I had a total of seven possible
interfaces. The screen showed six columns of values for each interface
and from there on everything was GUI. There was no need for any more
manual entry. However, I did test it later with manual entry to see what
would happen and it produced some surprising results.

I've provided an amount of detail here because you guys are for ever
helping people and it may assist you to know precisely what happened
when I followed your suggestions. The attached text file contains all
the interface detail. But, refer only to Part 1 at this stage.
Post by Guy Harris
However, once you've done that, the monitor mode checkbox won't necessarily work; you might have to use the airmon-ng steps. First make sure the aircrack-ng package (which I think Ubuntu offers) is installed, and then, if you have a wlan0 device, do
sudo airmon-ng start wlan0
It wasn't installed and I had to download it before proceeding.
When I ran 'sudo airmon-ng start wlan0' I was presented with the
following message:

Found 5 processes that could cause trouble
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

Then it listed 5 names and PIDs, commencing with
PID Name
966 avahi-daemon

and ended up with Monitor Mode enabled as you've described here in
the next few lines. Chipsets and drivers were different.
Post by Guy Harris
It will probably print out something such as
Interface Chipset Driver
wlan0 Intel 4965 a/b/g/n iwl4965 - [phy0]
(monitor mode enabled on mon0)
[snip]
Post by Guy Harris
The "monitor mode enabled on mon0" means that you must then capture on the "mon0" interface, not on the "wlan0" interface, to capture in monitor mode.
This presents a bit of a dilemma. You used the words:
"you must then capture on the 'mon0' interface"

Two scenarios exist now. Should I:

(a) Use the GUI screen (as per my initial experience) and enable
Monitor Mode through that interface.

(b) Enable Monitor Mode manually
i.e. sudo airmon-ng start wlan0

They appear to finish up with the same result, EXCEPT, when I start WS
after having enabled Monitor Mode manually, it then has an extra
interface, Mon0. See attached text file 'interfaces.txt' Part 2.

The screen display shows the interface named 'Mon0' as disabled and you
can 'enable' it in the same manner as you do with wlan0. In fact, when
experimenting I enabled Monitor Mode (Col 5) on both the Mon0 and wlan0
interfaces. It seems to me that SHOULD NOT have been allowed to happen.

I have captured packets under both wlan0 with Monitor Mode enabled and
Mon0 with monitor mode enabled. They appear to have no significant
differences but my question is, "which should I use, the Mon0 interface
or the wlan0 with monitor mode enabled ??

It may just come down to going with either the GUI or the manual method
but whatever the case, shouldn't there be code to prohibit starting up
an interface when it is already operating.

At this point I will send these messages, rather than trying to solve
problems that might not exist.

Many thanks
GaryT
Guy Harris
2014-07-27 19:37:10 UTC
Permalink
Post by GaryT
(a) Use the GUI screen (as per my initial experience) and enable
Monitor Mode through that interface.
(b) Enable Monitor Mode manually
i.e. sudo airmon-ng start wlan0
Do (c), and then capture on the interface named "mon0", *without* doing anything to monitor mode on that interface in the GUI.
Post by GaryT
They appear to finish up with the same result, EXCEPT, when I start WS after having enabled Monitor Mode manually, it then has an extra interface, Mon0.
Yes, that is *exactly* what should happen if you enable monitor mode manually.
Post by GaryT
The screen display shows the interface named 'Mon0' as disabled and you can 'enable' it in the same manner as you do with wlan0. In fact, when experimenting I enabled Monitor Mode (Col 5) on both the Mon0 and wlan0 interfaces. It seems to me that SHOULD NOT have been allowed to happen.
If we lived in a universe in which OS vendors provided reasonably simple, straightforward, and clean mechanisms by which programs could enable monitor mode on Wi-Fi interfaces, I would be very happy.

Sadly, we do not live in such a universe, which is why I had to write close to 1300 lines of code to do that on Linux...

...and, for interfaces with "modern" drivers ("mac80211" drivers), did so atop libnl, a library that has been through three count 'em three incompatible major versions, such that if libpcap is linked with one version and an application using libpcap is linked with another version, that application crashes, meaning that few if any Linux distributions ship a version of libpcap built with libnl, meaning that few if any Linux distributions allow Wireshark to automatically use the best mechanism for turning monitor mode on.

(Essentially, libpcap, *if* built with libnl, will use the same mechanism airmon-ng uses, which is adapter-independent, so it doesn't have to know the particular ugly set of operations to turn monitor mode on for the particular interface's driver, *and* somehow, I think, manages to keep some annoying daemon processes from "helpfully" turning monitor mode on, because the "wlan0" interface doesn't have it turned on, the "mon0" interface has it turned on, even though they're just two names that ultimately refer to the same physical device.)
Post by GaryT
It may just come down to going with either the GUI or the manual method but whatever the case, shouldn't there be code to prohibit starting up an interface when it is already operating.
It would be nice if there were code to do that. It would be nice if somebody who knows enough to write that code had time to do so....

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
GaryT
2014-07-28 10:49:33 UTC
Permalink
Post by Guy Harris
Post by GaryT
(a) Use the GUI screen (as per my initial experience) and enable
Monitor Mode through that interface.
(b) Enable Monitor Mode manually
i.e. sudo airmon-ng start wlan0
Do (c), and then capture on the interface named "mon0", *without* doing anything to monitor mode on that interface in the GUI.
Many thanks, Guy.
Greatly appreciate your guidance.
GaryT

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Guy Harris
2014-07-12 23:58:57 UTC
Permalink
Post by GaryT
Searched and found a 6000 word document on the Wireshark.Org site...
Yes, that's what happens when OSes make it complicated to select monitor mode, and people could be using a wide variety of different versions of different OSes, and different versions of Wireshark, and ask about capturing on Wi-Fi with all of them.

Perhaps the page should be split into subpages for different OSes, with the top-level page linking to the subpages.
Post by GaryT
(2)
identify the Laptop card and drivers etc in order to determine how to get Wireshark capturing 802.11 packets.
If libnl weren't such a pain (see below), libpcap (the library that Wireshark uses for packet capturing) would render that irrelevant.
Post by GaryT
[The "monitor mode enabled on mon0" means that you must then capture on the "mon0" interface, not on the "wlan0" interface, to capture in monitor mode. To turn monitor mode off, you would use a command such as sudo airmon-ng stop mon0, not sudo airmon-ng stop wlan0.]
airmon-ng should be able to render it mostly irrelevant; read the discussion of it in there and follow the admittedly-somewhat-complicated instructions.
Post by GaryT
Greatly appreciate any help, pointers, comments.
Wouldn't it be terrific if someone wrote, "All you need to do is..."
Wouldn't it be terrific if operating system providers didn't make it Really Complicated to turn monitor mode on, so that software developers (which, in this question, unfortunately means "me") don't have to write code that goes through hoops to do so?

Sadly, they didn't, and I haven't had the time to fix libpcap so that the code I wrote to turn monitor mode on doesn't depend on a library with multiple incompatible versions (meaning that it's unsafe to have libpcap use it, as all hell breaks loose if a program using libpcap is linked with one version and libpcap is linked with another), to allow that code to actually be *present* in Linux distributions (as opposed to being configured out).

So, yes, monitor mode in Wireshark is a bit of a steaming heap of suck on Linux (and, for other reasons, on platforms other than OS X).

However, be aware that, on a "protected" Wi-Fi network (one using encryption), it is *BY DESIGN* a bit complicated to sniff the network - the "protection" is against people sniffing network traffic. See

http://wiki.wireshark.org/HowToDecrypt802.11

for a discussion of *that*. (If your network *isn't* "protected", somebody near it may be able to capture your network traffic; if the traffic is encrypted at a higher level, such as with HTTPS, they shouldn't be able to see anything at that level, but they'll still be able to see things at lower levels.)
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Continue reading on narkive:
Loading...