Revision history [back]

WLAN monitor mode: check box won't stay checked

I'm running Wireshark 3.2.3 on Linux Cinnamon Mint.

uname -a returns "Linux martin-mint 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux"

wireshark -v returns

Wireshark 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

Copyright 1998-2020 Gerald Combs [email protected] and contributors. License GPLv2+: GNU GPL version 2 or later https://www.gnu.org/licenses/gpl-2.0.html This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.12.8, with libpcap, with POSIX capabilities (Linux), with libnl 3, with GLib 2.64.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.13 and PKCS #11 support, with Gcrypt 1.8.5, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.40.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.10, with QtMultimedia, without automatic updates, with SpeexDSP (using system library), with SBC, with SpanDSP, without bcg729.

Running on Linux 5.4.0-88-generic, with Intel(R) Core(TM) i3-2120T CPU @ 2.60GHz (with SSE4.2), with 3802 MB of physical memory, with locale en_GB.UTF-8, with libpcap version 1.9.1 (with TPACKET_V3), with GnuTLS 3.6.13, with Gcrypt 1.8.5, with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0 loaded).

My wireless adaptor is Realtek 8811CU and this appears to work OK: I can connect to a network and browse the web using it.

iw dev initially returns

phy#0 Interface wlx000f00[redacted] ifindex 3 wdev 0x1 addr 00:0f:00:[redacted] type managed txpower 12.00 dBm

but when I run "sudo iw dev wlx000f00[redacted] set monitor none", "iw dev" returns

phy#0 Interface wlx000f00[redacted] ifindex 3 wdev 0x1 addr 00:0f:00:[redacted] type monitor txpower 12.00 dBm

So it looks as if the adaptor is now in monitor mode.

I start Wireshark (sudo wireshark) and select Capture | Options. The WLAN adaptor now has a check box in the column "Monitor" which is not present if the adaptor is in managed mode.

But as soon as I check the Monitor box, it unchecks itself. Promiscuous mode is enabled for all adaptors.

What am I doing wrong?

I'm tearing my hair out trying to find a way to wireshark the traffic between an Android phone and the internet to work out why no browser on the phone (Firefox, Dolphin, Chrome) can browse to a specific web site even though a) it can browse all other sites, and b) Windows and Linux computers can browse to the site. Hence the need to wireshark the wireless network that the phone is connected to (in the absence of Wireshark for Android!!!!!!!!!!!). I gather that Wireshark for Linux can use monitor mode whereas Wireshark for Windows (npcap or winpcap) cannot.

WLAN monitor mode: check box won't stay checked

I'm running Wireshark 3.2.3 on Linux Cinnamon Mint.

uname -a ~~returns "Linux~~ returns: Linux martin-mint 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux"GNU/Linux

wireshark -v returns

Wireshark 3.2.3 (Git v3.2.3 packaged as 3.2.3-1) 3.2.3-1) Copyright 1998-2020 Gerald Combs [email protected] <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later https://www.gnu.org/licenses/gpl-2.0.html <https://www.gnu.org/licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. PURPOSE. Compiled (64-bit) with Qt 5.12.8, with libpcap, with POSIX capabilities (Linux), with libnl 3, with GLib 2.64.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.13 and PKCS #11 support, with Gcrypt 1.8.5, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.40.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.10, with QtMultimedia, without automatic updates, with SpeexDSP (using system library), with SBC, with SpanDSP, without bcg729. bcg729. Running on Linux 5.4.0-88-generic, with Intel(R) Core(TM) i3-2120T CPU @ 2.60GHz (with SSE4.2), with 3802 MB of physical memory, with locale en_GB.UTF-8, with libpcap version 1.9.1 (with TPACKET_V3), with GnuTLS 3.6.13, with Gcrypt 1.8.5, with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0 loaded).loaded).

My wireless adaptor is Realtek 8811CU and this appears to work OK: I can connect to a network and browse the web using it.

iw dev initially returns returns phy#0 Interface wlx000f00[redacted] ifindex 3 wdev 0x1 addr 00:0f:00:[redacted] type managed txpower 12.00 dBmdBm

but when I run ~~"sudo~~ sudo iw dev wlx000f00[redacted] set monitor none", none, "iw dev" returns

phy#0 Interface wlx000f00[redacted] ifindex 3 wdev 0x1 addr 00:0f:00:[redacted] type monitor txpower 12.00 dBmdBm

So it looks as if the adaptor is now in monitor mode.

I start Wireshark (sudo wireshark) and select Capture | Options. The WLAN adaptor now has a check box in the column "Monitor" which is not present if the adaptor is in managed mode.

But as soon as I check the Monitor box, it unchecks itself. Promiscuous mode is enabled for all adaptors.

What am I doing wrong?

I'm tearing my hair out trying to find a way to wireshark the traffic between an Android phone and the internet to work out why no browser on the phone (Firefox, Dolphin, Chrome) can browse to a specific web site even ~~though a)~~ though:

it can browse all other ~~sites, and b)~~ sites

Windows and Linux computers can browse to the ~~site.~~ site.

Hence the need to wireshark the wireless network that the phone is connected to (in the absence of Wireshark for Android!!!!!!!!!!!). I gather that Wireshark for Linux can use monitor mode whereas Wireshark for Windows (npcap or winpcap) cannot.