# Has anyone gotten wireshark to capture data packets from a monitor mode interface on a raspberry pi?

I have tried this on a pi 3b and a pi 4. I am using kali which supposedly comes with nexmon. I use the aircrack utility (airmon-ng start wlan0) and this creates a monitor mode interface. I try to monitor that interface and I don't see anything but beacons and spanning tree stuff. I have already run airmon-ng check kill to be sure that there are no processes stopping me from setting the channel.

I am sure that there is traffic on the nets. I have tried using WPA and open nets. I am running wireshark as root.

Other tools I have run (kismet) seem to identify the nearby nets from beacons but there is no evidence they see data packets that are non-broadcast (like a long ping). This mirrors what I have seen on wireshark.

I'm getting frustrated. I bought a pi 3b because I couldn't find an official statement of support for the pi 4. I see no difference in what I see.

If anyone has gotten it to work, can you tell me what you did? If I have to start over with a different distribution I will.

edit retag close merge delete

No answer, but nexmon says it does have support for RPi 4, their website has non-simple instructions for installation.

( 2020-11-04 18:04:24 +0000 )edit

I have a pi device:

cat /sys/firmware/devicetree/base/model
Raspberry Pi 3 Model B Plus Rev 1.3


I followed the instructions @grahamb pointed out (https://github.com/seemoo-lab/nexmon) and have no issue picking up the traffic I expect, including data and QoS-data traffic. I am getting uni-, multi-, and broadcast traffic with a radiotap header but I see that the header is wrong in decoding (at least) HT frames. Packet capture sees them (1SS/20MHz is all I have running) but it shows the datarate as 0. I can't change channels, either, or haven't figured it out.

I note that the instructions have specific steps that I had to follow to make it work; see the section under Using the Monitor Mode patch. When I set this up 'the old way', i.e. manually with iw / iwconfig / ifconfig / etc/, it didn't work well ...(more)

( 2020-11-05 02:02:23 +0000 )edit

OK, I have dug through the stuff on kali, they claim to have the nexmon stuff pre-installed and their 64 bit image claims nexmon and support for raspberry pi 4....

I agree that, given the diagnosis I've done, that this is unlikely to be a wireshark problem. I thought it might be at first. However, I'm new on the kali forums and supposedly am being moderated, but no one is approving posts. I asked here our of frustration, because if no one had gotten this working I was going to try something else.

At this point, my next step is to try usage instructions and then, perhaps, to grab a distribution other than kali and to install nexmon into it from scratch, or to reinstall nexmon into kali, messing with options as needed.

I need to trap a small amount of traffic, once or twice. I'm just ...(more)

( 2020-11-06 04:07:32 +0000 )edit

Sort by » oldest newest most voted

If you can't get much packets with tcpdump then Wireshark is most certainly not goint to fix any of that. I strongly suggest you raise an issue in Github about it as that seems the more logical place to ask for assistence.

more