Ask Your Question
0

Monitor mode capture on macOS Catalina is not seeing any packets

asked 2020-08-14 18:39:01 +0000

brunmart gravatar image

updated 2020-08-15 05:07:35 +0000

Guy Harris gravatar image

Hi there, I am trying to capture packets using Wifi on MacOS Catalina but I am not able to see any capture packets even though Wifi:en0 is selected and have check on it's monitor option. I was wondering since my Wifi has higher version of radio type of 802.11n while the Wireshark app has only 802.11 radio type. Is there any compatibility issue with the radio type version?

Please advice.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-08-15 05:06:48 +0000

Guy Harris gravatar image

tl;dr: you'll probably have to deassociate from - meaning "disconnect from" - your Wi-Fi network in order to capture in monitor mode.

Details:

On newer hardware, Catalina's support for monitor mode sucks. This might be because:

  • either newer hardware doesn't support being associated with a Wi-Fi network ''and'' being in monitor mode at the same time, or makes it difficult enough that Apple didn't bother supporting it in their drivers (or it's not hard but the Airport group at Apple couldn't be bothered to make the effort to support it) - older MacBook adapters, such as the one in my older MacBook Pro, supported it just fine, but it doesn't seem to work on my new MBP;
  • Apple may have decided to protect users from unintentionally deassociating from their Wi-Fi by refusing to go into monitor mode with those adapters;
  • the way they do that is not to 1) fail to report 802.11 DLTs when you ask for the DLT list and 2) report an error if you try to set the DLT for a BPF device bound to a Wi-Fi adapter to an 802.11 DLT - they just let the capture continue but don't provide any packets.

So, instead of Wireshark (and libpcap) reporting that monitor mode isn't supported, it lets you turn on monitor mode, but your capture doesn't show anything. Quality with a capital KW, Apple!

The "Sniffer" in Wireless Diagnostics (option-click on the Wi-Fi icon in the menu bar, and select "Open Wireless Diagnostics..."; then select "Sniffer" from the "Window" menu, select a channel, select a channel width if a choice is offered, and click "Start") ''can'' capture in monitor mode although, as I remember, you get deassociated from your Wi-Fi, and thus may lose all your network connectivity (unless, for example, you have an Ethernet adapter, whether built-in or USB or Thunderbolt).

Until recently, we had no idea what magic "Sniffer" performed; the way that "Sniffer" does the traffic capture is to run tcpdump with the "-I" flag, which does exactly the same thing that capturing in Wireshark in monitor mode does, so some flavor of magic is necessary.

However, in looking into a Stack Overflow question today where somebody wondered what the not-very-informative error message from some program trying to open an adapter with libpcap meant, I looked at the program's code to open an adapter, and found that, on macOS, it ran the "airport" utility (in /System/Library/PrivateFrameworks/Apple80211.framework/Resources) with a command-line flag to disassociate from the network. So that might be all the magic that's done.

So the bottom line is:

  • you'll have to disassociate from your Wi-Fi network to capture in monitor mode;
  • there might be some way to sneak that into libpcap and thus into Wireshark;
  • there really should also be a way for libpcap to inquire whether monitor mode works only if deassociated, so it can provide an API to programs such as Wireshark ...
(more)
edit flag offensive delete link more

Comments

Hi Guy, Thanks for this information and it means a lot of help for me. I tried this sniffer feature and shows a lot of information but i still have to learn n this. But once again thanks for your thoughts.

brunmart gravatar imagebrunmart ( 2020-08-15 17:12:02 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-08-14 18:39:01 +0000

Seen: 103 times

Last updated: Aug 15