Ask Your Question

Has anyone gotten wireshark to capture data packets from a monitor mode interface on a raspberry pi?

asked 2020-11-04 16:49:17 +0000

Shellhopper gravatar image

I have tried this on a pi 3b and a pi 4. I am using kali which supposedly comes with nexmon. I use the aircrack utility (airmon-ng start wlan0) and this creates a monitor mode interface. I try to monitor that interface and I don't see anything but beacons and spanning tree stuff. I have already run airmon-ng check kill to be sure that there are no processes stopping me from setting the channel.

I am sure that there is traffic on the nets. I have tried using WPA and open nets. I am running wireshark as root.

Other tools I have run (kismet) seem to identify the nearby nets from beacons but there is no evidence they see data packets that are non-broadcast (like a long ping). This mirrors what I have seen on wireshark.

I'm getting frustrated. I bought a pi 3b because I couldn't find an official statement of support for the pi 4. I see no difference in what I see.

If anyone has gotten it to work, can you tell me what you did? If I have to start over with a different distribution I will.

edit retag flag offensive close merge delete


No answer, but nexmon says it does have support for RPi 4, their website has non-simple instructions for installation.

grahamb gravatar imagegrahamb ( 2020-11-04 18:04:24 +0000 )edit

I have a pi device:

cat /sys/firmware/devicetree/base/model
Raspberry Pi 3 Model B Plus Rev 1.3

I followed the instructions @grahamb pointed out ( and have no issue picking up the traffic I expect, including data and QoS-data traffic. I am getting uni-, multi-, and broadcast traffic with a radiotap header but I see that the header is wrong in decoding (at least) HT frames. Packet capture sees them (1SS/20MHz is all I have running) but it shows the datarate as 0. I can't change channels, either, or haven't figured it out.

I note that the instructions have specific steps that I had to follow to make it work; see the section under Using the Monitor Mode patch. When I set this up 'the old way', i.e. manually with iw / iwconfig / ifconfig / etc/, it didn't work well ...(more)

Bob Jones gravatar imageBob Jones ( 2020-11-05 02:02:23 +0000 )edit

OK, I have dug through the stuff on kali, they claim to have the nexmon stuff pre-installed and their 64 bit image claims nexmon and support for raspberry pi 4....

I agree that, given the diagnosis I've done, that this is unlikely to be a wireshark problem. I thought it might be at first. However, I'm new on the kali forums and supposedly am being moderated, but no one is approving posts. I asked here our of frustration, because if no one had gotten this working I was going to try something else.

At this point, my next step is to try usage instructions and then, perhaps, to grab a distribution other than kali and to install nexmon into it from scratch, or to reinstall nexmon into kali, messing with options as needed.

I need to trap a small amount of traffic, once or twice. I'm just ...(more)

Shellhopper gravatar imageShellhopper ( 2020-11-06 04:07:32 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-11-05 11:26:38 +0000

hugo.vanderkooij gravatar image

If you can't get much packets with tcpdump then Wireshark is most certainly not goint to fix any of that. I strongly suggest you raise an issue in Github about it as that seems the more logical place to ask for assistence.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-11-04 16:49:17 +0000

Seen: 1,269 times

Last updated: Nov 05 '20