This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireless showing as Ethernet

0

Hi, I've been struggling with this for days now, I have installed Backtrack 5, I have Atheros AR9287 wireless card. But whenever I open Wireshark to sniff the wireless network, I am able to see only my own traffic, or traffic targeted to the whole network *.255 only. I've noticed that whenever I try to select the capture interface, wlan0 (which is the wireless adapter) shows as ETHERNET, and I don't have 802.11 option in the drop down list...I've been searching for days now, and couldn't find any useful answer. I really do appreciate your help!

asked 27 May '11, 14:24

Thirdium's gravatar image

Thirdium
1111
accept rate: 0%


2 Answers:

2

Basics things to try with that problem:

look in 'iwconfig' if your wireless card is recognized at all within BT5

  • Use airmon-ng start wlan0 to bring your wireless NIC into monitor mode
  • Since BT4 there are many cards coming up with a new "virtual" interface commonly called 'mon0'
  • Try sniffing with the mon0 interface now
  • If channel hopping is a problem, add the -c <channel number=""> flag to airmon-ng to specify the channel you're interedsted in

Apart from that, there are some issues with BT5 and wireless drivers atm - i would ask you to stick to the official BackTrack Forums for more help with that. There are several posts that might bring you forward.

answered 27 May '11, 14:55

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

Thanks for your reply, I actually tried that before: airmon-ng start monitor wlan0 -c 6

But when I open wireshark, choose mon0 as my interface, I sniff as if I'm not on the network...everything is encrypted, no IP addresses.

Any other thoughts ?

(28 May '11, 01:49) Thirdium

Did airmon-ng respond that your chipset was successfully set into monitor mode ?

Try using airodump-ng -c 6 -w /tmp/tracefile, maybe wireshark tries enabling monitor mode as well which might interfere with airmon...

(28 May '11, 03:28) Landi

yes it does, here is the output:

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID Name 1263 dhclient3 1675 dhclient3 10852 wpa_supplicant 10862 dhclient 10900 dhclient Process with PID 1675 (dhclient3) is running on interface wlan0 Process with PID 10852 (wpa_supplicant) is running on interface wlan0 Process with PID 10900 (dhclient) is running on interface wlan0

Interface Chipset Driver

wlan0 Atheros AR9287 ath9k - [phy0]/usr/local/sbin/airmon-ng: line 598: [: -c: integer expression expected

            (monitor mode enabled on mon0)</code></pre></div><div id="comment-4273-info" class="comment-info"><span class="comment-age">(28 May '11, 15:33)</span> <span class="comment-user userinfo">Thirdium</span></div></div><span id="4274"></span><div id="comment-4274" class="comment"><div id="post-4274-score" class="comment-score"></div><div class="comment-text"><p>Interface Chipset Driver</p><pre><code>wlan0       Atheros AR9287  ath9k - [phy0]/usr/local/sbin/airmon-ng: line 598: [: -c: integer expression expected

            (monitor mode enabled on mon0)</code></pre></div><div id="comment-4274-info" class="comment-info"><span class="comment-age">(28 May '11, 15:33)</span> <span class="comment-user userinfo">Thirdium</span></div></div><span id="4279"></span><div id="comment-4279" class="comment not_top_scorer"><div id="post-4279-score" class="comment-score"></div><div class="comment-text"><p>This output:</p><pre><code>/usr/local/sbin/airmon-ng: line 598: [: -c: integer expression expected</code></pre><p>is obviously some error, because -c is not assigned in airmon... once again, try the following syntax</p><p>'airmon-ng start wlan0 6'</p><p>Then mon0 should be your virtuel NIC on 2.4GHz channel 6, then go for</p><p>'airodump-ng -w /tmp/tracefile mon0'</p></div><div id="comment-4279-info" class="comment-info"><span class="comment-age">(29 May '11, 05:38)</span> <span class="comment-user userinfo">Landi</span></div></div><span id="4292"></span><div id="comment-4292" class="comment"><div id="post-4292-score" class="comment-score">1</div><div class="comment-text"><p>If your network is using WEP or WPA, then, when you capture in monitor mode, you will see the raw packets on the network - which will be encrypted. To decrypt it, see the <a href="http://wiki.wireshark.org/HowToDecrypt802.11">How To Decrypt 802.11</a> page in the Wireshark wiki.</p></div><div id="comment-4292-info" class="comment-info"><span class="comment-age">(31 May '11, 00:03)</span> <span class="comment-user userinfo">Guy Harris ♦♦</span></div></div></div><div id="comment-tools-4261" class="comment-tools"><span class="comments-showing"> showing 5 of 6 </span> <a href="#" class="show-all-comments-link">show 1 more comments</a></div><div class="clear"></div><div id="comment-4261-form-container" class="comment-form-container"></div><div class="clear"></div></div></td></tr></tbody></table>

0

You won't see the 802.11 layer unless you enable monitor mode on your WiFi card. Without it, you will only see the ethernet and further layers, but not the radio layer.

On backtrack you can use the airmon-ng utility to enable monitor mode if I remember correctly (has been a while I used it).

answered 27 May '11, 14:47

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%