Hello, I am using atheros 9271 chipset,when I am using wireshark,wlan0 link layer header type available only ethernet and docsis,802.11 plus radiotap header not available,and I cant select monitor mode,it is grey color.but when I use this command 'airmon-ng start wlan0' monitor mode enabled,after this in wireshark interface list mon0 available,in the mon0 interface's link layer header type's available 802.11 plus radiotap header but not selectable,what is the reason for all? asked 19 Feb '15, 04:48  hackerguru1989 |
One Answer:
On most OSes, you don't get to select the link-layer header type for 802.11 interfaces independently of monitor mode (and even the *BSD exceptions may not still be exceptions to that rule). If you're not in monitor mode, you either get a choice of Ethernet and DOCSIS or only a choice of Ethernet. (The choice of DOCSIS is there to allow sniffing DOCSIS traffic that some types of Cisco cable modem equipment at the cable company will put on an Ethernet, using Ethernet physical-layer framing but not Ethernet MAC-layer headers; this doesn't apply to Wi-Fi, and libpcap will, if it can determine whether an interface offering the Ethernet link-layer type is a real Ethernet interface or not, offer DOCSIS only for Ethernet. It appears from what you're saying that libpcap needs to try harder to determine that on Linux.) If you are in monitor mode, on some operating systems, you might get a choice of 802.11 without radio information ("802.11") and 802.11 with radio information in some format or formats ("802.11 plus radiotap", "802.11 plus AVS", etc.) For most interface, Linux only offers 802.11 plus radiotap. So, there is no problem, other than than some annoying libpcap issues that prevent you from selecting monitor mode from within Wireshark (by using the checkbox) rather than having to use airmon-ng. (Changing libpcap to avoid using libnl, which should get rid of those issues, is on my to-do list, but it'd take some work.) If you don't want to capture in monitor mode, capture on wlan0, and live with only getting Ethernet headers (which means only getting data frames, not getting some 802.11 details, and not getting radio information). That's a limitation of Linux, not of Wireshark or of your adapter and its driver. If you do want to capture in monitor mode, capture on mon0, and live with only getting 802.11 headers + radiotap radio metadata headers (which means you can get frames other than data frames, will get 802.11 details, and will get radio information - but, if you're capturing on a "protected" network, using WEP or WPA/WPA2, you'll have to give Wireshark the network password to get it to decrypt the traffic so you can see details beyond the 802.11 header, and will have to capture the initial EAPOL handshake for all hosts whose traffic you want to decrypt; this also means that you can't use capture filters, as they don't work on encrypted data). That's a limitation of Linux, not of Wireshark or of your adapter and its driver. answered 20 Feb '15, 15:37  Guy Harris ♦♦ hello sir, which wireless usb adapter support monitor mode and promiscuous mode,and also i need interface link layer:802.11 plus radiotap header.i am using tp-link tl-wn722n.so tell me which wireless adapter i have to buy? (23 Feb '15, 03:15) hackerguru1989 If airmon-ng was able to create a mon0 interface for your adapter, it supports monitor mode. If you have a mon0 interface, try capturing on that; if you don't have a mon0 interface, run airmon-ng to create the mon0 interface, and then try capturing on that. (23 Feb '15, 10:50) Guy Harris ♦♦ sir i am able to enable monitor mode at airmon-ng,but i can not enable monitor mode in wireshark. (26 Feb '15, 03:59) hackerguru1989 you don't have to enable monitor mode in Wireshark, just capture on mon0 after you have created it with airmon-ng! (26 Feb '15, 04:46) Kurt Knochner ♦ |
What do you mean by "not selectable" in "in the mon0 interface's link layer header type's available 802.11 plus radiotap header but not selectable"? Do you mean that you can't select the mon0 interface and capture on it or do you mean that you can't select a link-layer header type? If it's that you can't select a link-layer header type, that's because it only supports 802.11+radiotap (which is the case with most Wi-Fi adapters on Linux when capturing in monitor mode).
Sir I can select Mon 0 interface,but I can't select mon0's link layer header type.my wlan0 interface's link layer header type contains only ethernet and docsis only,802.11 plus radiotap not available.any problem with my wireless adapter(atheros ar-9271 chipset)?