Wireshark · Wireshark-users: Re: [Wireshark-users] Capturing Wi-Fi traffic to/from Modem

[Evan Huus <eapache@xxxxxxxxx>]

On Sat, Jul 12, 2014 at 11:40 AM, GaryT <gary@xxxxxxxx> wrote:

On my desktop I have Wireshark Version 1.11.0 running on Linux 2.6.32-55-generic.

I'm slowly moving over to a laptop which of course is Wireless.

The Laptop is:
  ThinkPad R500
  Core 2 Duo P8400
  2.26 GHz
  2048MB RAM
  BIOS V207 (Feb 2009)

Have loaded the default Canonical Wireshark (v1.10.6 from master-1.10) onto the laptop and found it was monitoring only Bluetooth, and of course, it captured no packets. There was no option to monitor Wi-Fi traffic. Big lesson #1.  It's not that simple.

Generally I'm interested only in the traffic to/from the wireless modem (ie. Internet). Have now switched off Bluetooth, because I don't use it. I'd also like to know a bit about how to detect and protect from rouge wireless attacks, if that's at all relevant.

Notwithstanding all that, I want to maintain the capability of connecting the laptop to my big monitor with perhaps a short Ethernet cable to the modem. That may be a whole new discussion but learn I must.

Searched and found a 6000 word document on the Wireshark.Org site...


WLAN (IEEE 802.11) capture setup
--------------------------------
The following will explain capturing on 802.11 wireless networks (WLAN).


By the time I read half way through that doc the old head was spinning. So many things to consider, so many options and possibilities for someone whose knowledge of Wi-Fi is about as solid as his knowledge of the atmosphere on Mars.  Memorising, even understanding that overall flow chart is beyond my current capability.

I need help to discover the card and drivers etc on the laptop and someone (or some folks) to hold my hand and show me how to:

(1)
identify and obtain the correct version of Wireshark
(Perhaps the current v1.10.6 is enough)

It should be.

 

(2)
identify the Laptop card and drivers etc in order to determine how to get Wireshark capturing 802.11 packets.

 

First step is to be able to use the wifi to e.g. browse the web; it's not clear from your email if that's even the case. If that's already working, then capturing "cooked" packets (with all the IEEE802.11 headers, encryption, etc. stripped and replaced with fake ethernet headers) should be as simple as pointing Wireshark at your wlan0 interface. If Wireshark doesn't display any wlan* interfaces even though you have working wifi, that's *weird* and possibly a bug.

Do you have sufficient permissions to view those interfaces? If you just installed the default Wireshark (which is actually inherited from Debian, so Canonical doesn't have much to do with it) then normal users aren't given permission to capture packets by default. You should follow the instructions in [1] to give regular users permission to capture packets.

Once you can capture cooked packets, capturing "raw" packets (with all the IEEE802.11 headers etc) should be as simple as checking the "monitor mode" box in the capture options dialogue box, assuming your version of Wireshark is recent enough (which 1.10.* should be).

[1] http://anonscm.debian.org/viewvc/collab-maint/ext-maint/wireshark/trunk/debian/README.Debian?view=markup

>From that (above) document I'm aware of many snippets of info, for example:

[The "monitor mode enabled on mon0" means that you must then capture on the "mon0" interface, not on the "wlan0" interface, to capture in monitor mode. To turn monitor mode off, you would use a command such as sudo airmon-ng stop mon0, not sudo airmon-ng stop wlan0.]

But, learning them all, understanding them and applying them in the right order is beyond the capacity of this tired old brain.
I can drive nails, as a younger man I designed software for many years but this little house will be built from strange new materials.

Greatly appreciate any help, pointers, comments.
Wouldn't it be terrific if someone wrote, "All you need to do is..."
GaryT



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe