Wireshark captures monitor mode "style" packets

asked 2021-01-01 19:47:29 +0000

Hello, I've got a weird problem with Wireshark. My wireless adapter is set on managed mode (output from "iwconfig"):

wlan0 IEEE 802.11 ESSID:"My Network"
Mode:Managed Frequency:2.472 GHz Access Point: 12:34:56:78:90:AB Bit Rate=144.4 Mb/s Tx-Power=20 dBm
Retry short limit:7 RTS thr=2347 B Fragment thr:off Power Management:on Link Quality=70/70 Signal level=-40 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:71 Missed beacon:0

I try to run Wireshark and capture traffic between me and my AP. The problem is that whenever I start it Wireshark captures only packets with protocol 802.11 that is some beacons and encrypted data - none of TCP, UDP etc (I choose my wlan0 interface). After few seconds of scanning my wifi adapter disconnects from the AP and wireshark stops scanning with an error "The network adapter on which the capture was being done is no longer running; the capture has stopped.", and "Unknown message from dumpcap reading header, try to show it as a string: Can't restore interface wlan0 wireless mode (SIOCSIWMODE failed: Operation not permitted). Please adjust manually.". Right after the error occures and Wireshark stops running, my adapter automatically connects to my AP and works just fine until my next scanning attempt. Does anyone know what's the problem? Maybe I should mention that I was sniffing on my own network some time ago on monitor mode and everything went successfully - maybe some settings are left unchanged and cause the error?

Thanks in advance.

edit retag flag offensive close merge delete


Do you have the monitor mode check box set in capture --> options?

Maybe: you start Wireshark, it puts the adapter into monitor mode because the check box is set for a short period of time until your NetworkManager decides to take over and puts the adapter into managed mode again.

Bob Jones gravatar imageBob Jones ( 2021-01-02 20:40:59 +0000 )edit