Monitor Mode checkbox on Wireshark is "--" despite having capability
Good MorningNoonNight,
The Neat: Intel 7265 and Intel 8265 NIC
Kali Linux 2021.3 Live USB
WireShark 3.4.7
The Gritty: I am trying to capture packets in a room we are troubleshooting for interference issues and the vendor has asked me to use a third device (either Mac or Linux -- we are a Microsoft shop) to capture the packets with WireShark in Monitor Mode.
I have tried on two of our devices that have the Intel 7265 and Intel 8265 NIC's. Both are supposed to support Monitor Mode according to online research and using IW list.
Steps:
(1) I kill all processes that would disrupt Monitor mode
(2) I set the interface to monitor mode
(3) I set the channel to monitor
(4) I load wireshark
(5) I select promiscuous mode
(6) I select my wireless monitor mode interface (wlan0mon)
(7) There is a -- by monitor mode where there should be a check box. I have also tried starting monitor mode using the CLI but get a return of "can't start as monitor mode is not supported."
I have tried capturing packets anyway, and admittedly I don't 100% know what I should be seeing, but I typically only see probe requests with destination of broadcast and I thought it would be more specific than that. And also not just probe requests.
Anything I could be doing wrong / not understanding about this?
If you see probes, you are likely in monitor mode already. Both of those NICs are known to support monitor mode with most any kernels from the past few years. Under
Frame --> Encapsulation type
Does it say IEEE 802.11?
This does not mean they are right for the job at hand - that depends on the type of traffic you are trying to pick up.
On Linux, I usually put the interface into monitor mode directly so the name stays as it was. I think there is a step you are missing because in your description because typically wlan0mon is not made by itself - you either created it, or had something like airmon-ng do it for you.
A key issue is to shutdown any NetworkManagers as they will usually cause problems. Alternatively, you can instruct the NetworkManager to ignore the wireless interface so it can be used exclusively for capture (recommended).
Hi Bob!
Thank you for the info, so what I see under encapsulation type is "IEEE 802.11 plus radiotap radio header (23)"
Admittedly, I just tried it at home instead of work and I'm seeing more than I did at work, but I assume that is because of the different environments. At home I'm seeing sources with destinations (home ap, roku etc) while at work it was just "Destination: Broadcast". I'm going to assume this is just a bug with how wireshark interacts with kali / enabling the mode.
The job at hand is that we're simultaneously capturing packets on a client machine connected to an AP in a room while a second person collects data from upstream on the switch and then this third device with Kali I assume will be validating if the packets are being seen in the room at all by a ...(more)