Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2021-03-09 19:19:39 +0000

Guy Harris gravatar image

When I try to capture from the mobile device I get errors that tshark can't set promiscuous/non-promiscous mode

That''s probably because the mobile phone modem doesn't support promiscuous mode.

If you want to capture traffic to and from your machine, you don't need promiscuous mode.

If you want to capture traffic on the mobile phone network between other devices and the network, you will probably need a fairly exotic device that, as far as I know, is not available to ordinary users; I don't know how to get such a device. You may also have to somehow decrypt that traffic, which may be somewhere between "difficult" and "impossible".

If all you want is to capture traffic to and from your machine, then:

  • select Capture > Options;
  • make sure the "Enable promiscuous mode on all devices" checkbox is NOT checked;
  • un-check the check box in the "Promiscuous" column for the "\Device\NPF_{CC3F3B57-6D66-4103-8AAF-828D090B1BA9}'" or "Mobile Broadband adapter Cellular" device (the column title might be cut off, so it might just say "Promisc" or something such as that);
  • click the "Start" button to start the capture.

There are some changes that it might be possible to make to libpcap, and to Wireshark, so that it won't even offer a "promiscuous mode" checkbox for devices that don't offer promiscuous mode, at least on Windows (on UN*Xes, devices that don't support promiscuous mode tend to just ignore requests to enable it, rather than reporting an error), which would make this less of a nuisance. Those are significant API changs to libpcap, and significant code changes to Wireshark, however, so they won't happen soon.