Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Capturing 802.11 RSSI and TX Rate Values Using Ubuntu Linu

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 29 Dec 2008 13:53:00 -0800

On Dec 26, 2008, at 8:08 AM, Tal Rusak wrote:

I am new to Wireshark. I need to capture RSSI values from an 802.11
network using an Ubuntu Linux 8.10 PC.

What version of the kernel is your PC running? ("uname -r" on the command line should tell you that.)

I have added the columns in
the user interface, but no values are displaying.

You're probably not getting 802.11 and radio headers when you're capturing. In the detail pane, what are the protocol layers Wireshark displays for packets?

Perhaps I have the
incorrect driver (currently I am using iwlagn). Can anyone provide a
hint?

The iwl drivers appear to support mac80211, at least in recent kernels; if so, they should be able to supply *some* radio information.

However, if they're mac80211 drivers, then, at least from my reading of the mac80211 code in net/mac80211 in the 2.6.27.9 kernel:

1) they supply radio information using the radiotap header, which doesn't directly provide RSSI values; instead, it can supply signal strength and noise power in dBm;

	2) they only supply it in "monitor mode".

In order to go into "monitor mode" with a mac80211 driver, you'd need to add a "monitor mode" virtual interface and capture on that. At least with newer kernels, this requires the "iw" command; assuming that the "master" interface for your wireless adapter is "wmaster0", you'd have to do

	iw dev wmaster0 interface add mon0 type monitor

	ifconfig mon0 up

and then capture on the "mon0" interface.  When you're done, do

	iw dev mon0 interface del

to get rid of the "mon0" interface.
	
Also, I can apparently use the 802.11 connection and capture packets
at the same time. With other sniffers I have used this was not
possible. Is this supposed to be possible with Wireshark, or is this
part of the problem in my setup?

Whether you can remain associated with a network and capture traffic depends on:

1) whether you're capturing in monitor mode or not - if you're not in monitor mode, you should remain associated with the network, but if you are in monitor mode, you *might* not be able to remain associated with the network;

2) the operating system on which you're running - Linux doesn't absolutely *prevent* you from remaining associated in monitor mode;

3) the adapter and driver - some adapters and drivers might allow you to remain associated even in monitor mode (the mac80211 driver for my Belkin stick appears to let me remain associated).