Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2020-08-15 05:06:48 +0000

Guy Harris gravatar image

tl;dr: you'll probably have to deassociate from - meaning "disconnect from" - your Wi-Fi network in order to capture in monitor mode.

Details:

On newer hardware, Catalina's support for monitor mode sucks. This might be because:

  • either newer hardware doesn't support being associated with a Wi-Fi network ''and'' being in monitor mode at the same time, or makes it difficult enough that Apple didn't bother supporting it in their drivers (or it's not hard but the Airport group at Apple couldn't be bothered to make the effort to support it) - older MacBook adapters, such as the one in my older MacBook Pro, supported it just fine, but it doesn't seem to work on my new MBP;
  • Apple may have decided to protect users from unintentionally deassociating from their Wi-Fi by refusing to go into monitor mode with those adapters;
  • the way they do that is not to 1) fail to report 802.11 DLTs when you ask for the DLT list and 2) report an error if you try to set the DLT for a BPF device bound to a Wi-Fi adapter to an 802.11 DLT - they just let the capture continue but don't provide any packets.

So, instead of Wireshark (and libpcap) reporting that monitor mode isn't supported, it lets you turn on monitor mode, but your capture doesn't show anything. Quality with a capital KW, Apple!

The "Sniffer" in Wireless Diagnostics (option-click on the Wi-Fi icon in the menu bar, and select "Open Wireless Diagnostics..."; then select "Sniffer" from the "Window" menu, select a channel, select a channel width if a choice is offered, and click "Start") ''can'' capture in monitor mode although, as I remember, you get deassociated from your Wi-Fi, and thus may lose all your network connectivity (unless, for example, you have an Ethernet adapter, whether built-in or USB or Thunderbolt).

Until recently, we had no idea what magic "Sniffer" performed; the way that "Sniffer" does the traffic capture is to run tcpdump with the "-I" flag, which does exactly the same thing that capturing in Wireshark in monitor mode does, so some flavor of magic is necessary.

However, in looking into a Stack Overflow question today where somebody wondered what the not-very-informative error message from some program trying to open an adapter with libpcap meant, I looked at the program's code to open an adapter, and found that, on macOS, it ran the "airport" utility (in /System/Library/PrivateFrameworks/Apple80211.framework/Resources) with a command-line flag to disassociate from the network. So that might be all the magic that's done.

So the bottom line is:

  • you'll have to disassociate from your Wi-Fi network to capture in monitor mode;
  • there might be some way to sneak that into libpcap and thus into Wireshark;
  • there really should also be a way for libpcap to inquire whether monitor mode works only if deassociated, so it can provide an API to programs such as Wireshark, so if you ask for monitor mode, they can say "if you say go ahead and capture in monitor mode, you're going to lose your Wi-Fi connection; should I go ahead and do that?"