4
2

Hi there,

I'm running the latest version of wireshark with ubuntu. My Wifi is using a "Intel 4965/5xxx" Chipset with an "iwlagn" driver.

My Problem is: When I click at the "monitor mode" checkbox in Capture Options the box is checked for less than a second und then unchecked again. I don't recieve any error messages.

I tried using airmon-ng and selected mon0 as interface but it didn't work, too.

Can you help me?

asked 23 Aug '11, 09:27

MyScreenName2011's gravatar image

MyScreenName...
61133
accept rate: 0%

edited 08 Dec '11, 01:55

Guy%20Harris's gravatar image

Guy Harris ♦♦
11.6k227146

What kernel version are you running, and what version of libpcap is Wireshark built with? ("uname -sr" for the first; "wireshark -v" for the second.) According to http://intellinuxwireless.org/, the driver has been in the mainline kernel since 2.6.24, and the version in the 2.6.32.4 in the iwlwifi directory appears to have monitor-mode support.

What happened with airmon-ng? What happens if you try, for example, tshark with the -I flag?

(23 Aug '11, 17:46) Guy Harris ♦♦

kernel version: Linux 2.6.38-11-generic-pae

libpcap version: 1.1.1 (with libz 1.2.3.4, with POSIX capabilities (Linux), without libpcre, with SMI 0.4.8, with c-ares 1.7.3, with Lua 5.1, without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Mar 18 2011 15:44:36), without AirPcap.)

Output for tshark -I:

user@userBook:~$ sudo tshark -I

tshark: Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled

Running as user "root" and group "root". This could be dangerous.

Capturing on eth0

tshark: The capture session could not be initiated (That device doesn't support monitor mode).

Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.

0 packets captured

airmon-ng:

user@userBook:~$ sudo airmon-ng start wlan0

Found 5 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them!

PID Name 608 avahi-daemon 609 avahi-daemon 610 NetworkManager 805 wpa_supplicant 1868 dhclient Process with PID 1868 (dhclient) is running on interface wlan0

Interface Chipset Driver

wlan0 Intel 4965/5xxx iwlagn - [phy0] (monitor mode enabled on mon0)

user@userBook:~$ iwconfig lo no wireless extensions.

eth0 no wireless extensions.

wlan0 IEEE 802.11abgn ESSID:"fritzBOX"
Mode:Managed Frequency:2.472 GHz Access Point: BC:05:43:15:C3:8E
Bit Rate=117 Mb/s Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off Power Management:off Link Quality=61/70 Signal level=-49 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:19309 Invalid misc:840 Missed beacon:0

mon0 IEEE 802.11abgn Mode:Monitor Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off Power Management:off

After that I selected mon0 as interface in wireshark but coulden't check the "monitor mode" checkbox, too.

(24 Aug '11, 05:20) MyScreenName...

On what device are you trying to capture in monitor mode? eth0, wlan0, or mon0?

(25 Aug '11, 02:01) Guy Harris ♦♦

Sorry for the late answer, i was on vacation. I tried both wlan0 and mon0!

(10 Sep '11, 17:00) MyScreenName...

I'm seeing the exact same behavior. I've got a Centrino Advanced-N 6205 chipset with the iwlagn driver. Kernel version is 3.0.0-12-generic, Wireshark is 1.6.2, and libpcap 1.1.1

Trying to capture on wlan0, and I even brought the interface down and put it in Monitor mode via the cl (sudo iwconfig wlan0 mode monitor). But when I go into Wireshark and try to select the monitor mode checkbox, I find it stays checked for ~1 second, then unchecks itself.

(27 Oct '11, 13:35) CastleSeven

Try uninstalling and reinstalling aircrack-ng, there was a glitch in recent Centrino wireless NICs not being able to cope with certain patched drivers.

Afterwards go for airmon-ng start <whatever> and then (!!!) airodump-ng mon0

Maybe that helps - id did for my 6200-N / 4965

(28 Oct '11, 00:40) Landi

I am having the exact same issue and have been for a while. I'm not using airmon. I am getting an error related to the GUI references. Hopefully if I can somehow manage to fix that, the problem will subside. Please, please let us know if you find out the answer.

(29 Nov '11, 13:56) chadillac

What happens if you aren't running NetworkManager? I've seen postings on the Web that indicate that it "helpfully" turns monitor mode off in some cases, e.g. this Ubuntu Forums post ("That's when NetworkManager kicks in and disables monitor mode.") and this aircrack-ng forum post.

(30 Nov '11, 15:28) Guy Harris ♦♦

I have the same problem on Debian, described here: http://ask.wireshark.org/questions/7618/monitor-mode-checkbox-not-working

(01 Dec '11, 02:06) Rael

What happened when you did sudo airmon-ng start wlan0 and then tried to capture on mon0? Don't worry about the "monitor mode" checkbox when you do that, just try capturing; does it capture in monitor mode?

(02 Dec '11, 18:45) Guy Harris ♦♦

And what does ldd /usr/lib/libpcap.so print?

(05 Dec '11, 14:23) Guy Harris ♦♦
showing 5 of 11 show 6 more comments

Try this:

sudo ifconfig wlan0 down

sudo iwconfig wlan0 mode managed

sudo ifconfig wlan0 up

sudo iwconfig wlan0 channel xx

//Replace xx with the number of the channel for the wifi you're trying to connect.

sudo ifconfig wlan0 down

sudo iwconfig wlan0 mode monitor

sudo ifconfig wlan0 up

This should get you into monitor mode.

Just check with

iwconfig wlan0

In the mode attribute "monitor" should be written instead of managed.

Hope this helps.

link

answered 13 Jun '12, 16:15

pslayer89's gravatar image

pslayer89
3113
accept rate: 0%

My problem was that I was able to see broadcast data like beacons in monitor mode but I could not get any HTTP request. Tests where done with my smartphone connected to an open hotspot. The solution was to set WiFi channel to the hotspot one! Like @pslayer89 said, I did iwconfig wlan0 channel 6 in my case and it worked :)

(10 Dec '13, 08:06) baptx
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×54
×46
×20

Asked: 23 Aug '11, 09:27

Seen: 13,737 times

Last updated: 10 Dec '13, 08:06

powered by OSQA