Wireshark · Wireshark-dev: Re: [Wireshark-dev] Why "Monitor Mode" column still showed "n/a" when pcap_can_set

Wireshark-dev: Re: [Wireshark-dev] Why "Monitor Mode" column still showed "n/a" when pcap_can_s

Date: Thu, 19 May 2016 00:05:53 +0800

Hi Pascal,

The cause is that pcap_can_set_rfmon() is not exported. After I export it, Capture Interfaces window still shows "disabled" in "Monitor Mode" column.

But there's another issue. The dumpcap.exe will crash when launching Wireshark. After some debugging, I found the cause:

My pcap_can_set_rfmon() implementation is the following pcap_can_set_rfmon_win32 function.

* Check if rfmon mode is supported on the pcap_t for Windows systems.

static int

pcap_can_set_rfmon_win32(pcap_t *p)

{

return PacketIsMonitorModeSupported(p->adapter);

}

And it calls the PacketIsMonitorModeSupported() function in Packet.dll. This function calls PacketRequest to send a Query OID request (OID_DOT11_OPERATION_MODE_CAPABILITY) like Guy said. And PacketRequest call needs the adapter to be opened first.

So it seems that Wireshark should open the adapter before querying whether it supports monitor mode, which it's not the case currently.

I find it paradox because there are so many functions that need to send Query/Set OID requests. So I looked at them and found most OID requests are "Set" ones like pcap_set_buffer_size() . It doesn't immediately call PacketSetBuff(). It just records the value and set that value when calling pcap_activiate_win32(). However, functions that need to "Query" OIDs couldn't do this, because the value needs to be obtained at once. It can't be postponed to calling pcap_activiate_win32(). I found only pcap_stats_ex() is in this category. It calls PacketGetStatsEx which tries to query an OID. But this pcap_stats_ex() function is never used in Wireshark.

So I want to know how to solve this? Is it possible to make Wireshark open the adapter first before querying whether it supports monitor mode?

Or we can do it in a simpler way. First we determine whether the adapter is an wireless adapter. If it's not a wireless adapter, we don't even need to know whether it has monitor mode support. BTW, do you know any built-in method to know whether an adapter is a wireless one? I only know one method:

1) use "netsh wlan show interfaces" to show all the names of wireless adapters

2) compare the pcap_t adapter name with the above names, if there's a match, then it's a wireless adapter.

But I don't think it's very good. Wait for better solutions?

And considering that most of wireless adapters support monitor mode (at least I didn't know anyone said his adapter doesn't support it), we can just safely return TRUE in pcap_can_set_rfmon_win32() for any wireless adapter. So the "Query" OID request is no longer needed.

Cheers,

Yang

On Wed, May 18, 2016 at 5:51 PM, Pascal Quantin <pascal.quantin@xxxxxxxxx> wrote:

Hi Yang,

2016-05-17 19:02 GMT+02:00 Yang Luo <hsluoyb@xxxxxxxxx>:
Hi list,

I'm using Wireshark 2.1.0-3054-gad4d0b8. I found that after I made pcap_can_set_rfmon() function in Npcap always return 1. The Capture Interfaces window still shows "n/a" in "Monitor Mode" column.

J:\npcap\wpcap\libpcap\pcap.c:

/*
* Returns 1 if rfmon mode can be set on the pcap_t, 0 if it can't,
* a PCAP_ERROR value on an error.
*/
int
pcap_can_set_rfmon(pcap_t *p)
{
return 1;
//return (p->can_set_rfmon_op(p));
}

I have analyzed the code flow:

1) https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/ui/qt/capture_interfaces_dialog.cpp#L528
ti->setText(col_monitor_, QString(device->monitor_mode_supported? (device->monitor_mode_enabled ? tr("enabled") : tr("disabled")) : tr("n/a")));
The key is:
device->monitor_mode_supported

2) https://github.com/wireshark/wireshark/blob/73957b4f44054a5f5fd013cf64b0bf80d8afd6e1/ui/qt/manage_interfaces_dialog.cpp#L599
device.monitor_mode_supported = caps->can_set_rfmon;
The key is:
caps->can_set_rfmon

3) https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/caputils/capture-pcap-util.c#L1021
status = pcap_can_set_rfmon(pch);
The key is:
pcap_can_set_rfmon()

So this call sequence shows that if pcap_can_set_rfmon() returns 1, the "Monitor Mode" column should show "enabled" or "disabled", not "n/a". So what am I missing here?

I just tested v2.1.0rc0-3090-g886e2bf with the following patch applied:
diff --git a/caputils/capture-wpcap.c b/caputils/capture-wpcap.c
index 5094375..e5a2661 100644
--- a/caputils/capture-wpcap.c
+++ b/caputils/capture-wpcap.c
@@ -495,6 +495,7 @@ int
pcap_can_set_rfmon(pcap_t *a)
{
        g_assert(has_wpcap);
+       return 1;
        if (p_pcap_can_set_rfmon != NULL) {
                return p_pcap_can_set_rfmon(a);
        }
        return 0;

And the Qt GUI correctly displays "disabled".
So presumably p_pcap_can_set_rfmon is NULL.

Is pcap_can_set_rfmon() symbol exported by your wpcap.dll? Can you share a npcap test build?

Regards,
Pascal.

___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

References:
- [Wireshark-dev] Why "Monitor Mode" column still showed "n/a" when pcap_can_set_rfmon() function returns 1
  - From: Yang Luo
- Re: [Wireshark-dev] Why "Monitor Mode" column still showed "n/a" when pcap_can_set_rfmon() function returns 1
  - From: Pascal Quantin

Prev by Date: Re: [Wireshark-dev] Configure/autogen failing on Ubuntu 14.04
Next by Date: [Wireshark-dev] Some questions about Wireshark monitor mode support on Windows
Previous by thread: Re: [Wireshark-dev] Why "Monitor Mode" column still showed "n/a" when pcap_can_set_rfmon() function returns 1
Next by thread: [Wireshark-dev] Configure/autogen failing on Ubuntu 14.04
Index(es):
- Date
- Thread