Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Some questions about Wireshark monitor mode support on Windo

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 20 May 2016 12:28:21 -0700
On May 18, 2016, at 11:41 AM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> I just released Npcap 0.07 R4:
> https://github.com/nmap/npcap/releases
> 
> This version Npcap already supports monitor mode setting using Wireshark GUI or command line.
> 
> 1) For GUI, if you check the "Capture packets in monitor mode" option in "Edit Interface Settings", your adapter will turn into monitor mode immediately.

I see you figured out that you need to use the GTK+ version if you want to be able to turn monitor mode on.  Bug 11364

	https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11364

causes problems trying to use monitor mode in the Qt interface.

> 2) For CLI, run "dumpcap" command with -I option, your adapter will turn into monitor mode right before capturing.

"-I" should also work with tshark (and tcpdump if built for Windows).

> And I have several questions:
> 
> 1) In "Edit Interface Settings", if I check "Capture packets in monitor mode" option, my adapter will turn into monitor mode immediately.

As soon as you check the box, it *immediately* switches into monitor mode, and stays in monitor mode, even though you haven't started a capture?

That doesn't happen on OS X - it shouldn't happen until you actually start the capture.  Something in Npcap is setting monitor mode, but it's probably failing to turn monitor mode back off again.

> 2) After I check "Capture packets in monitor mode" option, the "Mon. Mode" column in "Capture Options" won't change from "disabled" to "enabled". This behavior is weird.

I.e., you check "Capture packets in monitor mode" and click "OK", and the "Capture Options" dialog doesn't show "enabled" for the adapter whose entry you double-clocked to get the "Edit Interface Settings" dialog?

That doesn't happen on OS X.

> 3) libpcap API (wpcap.dll) doesn't export a pcap_get_rfmon function, which means Wireshark can't get the current operation mode in any way.

There's not supposed to be a need for that mode - libpcap/WinPcap and the underlying capture mechanism are supposed to turn it on if any open pcap_t has it on, and turn it off if no pcap_t has it off.  Yes, this requires that some location shared between processes, whether it's in the kernel or in userland, needs to keep a count of open pcap_t's for which monitor mode has been requested.

> 4) Wireshark does nothing after capturing with "Capture packets in monitor mode" option checked. I think Wireshark should be responsible to change the mode back to managed when the capture ends, if it changed the mode to monitor when capture starts.

Again, that's supposed to be done by libpcap/WinPcap.