Wireshark for Ubuntu - Monitor Mode

Question

Octet 45 Newbie Poster

10 Years Ago

Hello Daniweb,

I've recently become interested in networking, especially the administrative side of it (monitoring them, managing and resolving faults etc.) and therefore I thought one of the best ways I could learn was to see what was actually happening on them.

I installed Wireshark for Ubuntu, and everything seems to work fine when monitoring my own traffic. The problem I am facing is, when setting the Wireless Adaptor to 'Monitor' mode so that I can view what is happening on the rest of my network, it shall run for a couple of seconds before crashing with the error:

Unknown message from dumpcap, try to show it as a string: Can't restore interface wlan0 wireless mode (SIOCSIWMODE failed: Operation not permitted).
Please adjust manually.

and

The network adapter on which the capture was being done is no longer running; the capture has stopped.

I don't really know what the problem is, the Wireshark output is just filled with tens of thousands of messages from a wireless printer before the adapter fails. If I end it manually before the adapter crashes, it shall still show up with the same errors.

My guess is it can't put it back into Managed mode, however I don't know why it crashes when running.

Any help would be greatly appreciated!

Thank you

Edited 10 Years Ago by Octet

3 Contributors
4 Replies
2K Views
1 Year Discussion Span
Latest Post 9 Years Ago Latest Post by Prtablegm

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Octet 45 Newbie Poster Featured Poster · Answer 1 · 2013-06-15T10:10:04+00:00

After a bit of researching I believe the issue is now related to Libpcap, however even when compiling the latest version of it I am still having issues.

Placing the card in monitor mode via the terminal manually also seems to cause it to stop.

Octet 45 Newbie Poster Featured Poster · Answer 2 · 2013-06-15T15:04:59+00:00

I've managed to keep it in monitor mode with the use of the Airmon-NG Script, however all I see is a load of beacon frames and no other packets, not even from my own computer (the one running Wireshark).

Could someone please explain why this is?
Thanks

dscherrer 0 Newbie Poster · Answer 3 · 2014-11-04T13:21:52+00:00

I have also had this problem: Setting the interface to promiscuous mode using ifconfig and then running tshark led to the error message you mentioned. Somehow my interface went from ethernet encapsulation to "unspec" encapsulation during the the capture.
Some experimentation led me to the following solution: Use iwconfig, eg:
iwconfig wlan0 mode monitor to to capture all traffic instead of ifconfig wlan0 promisc
The transition from ethernet to unspecified encapsulation still occurs but it seems to not be harmful anymore...

Prtablegm 0 Newbie Poster · Answer 4 · 2014-11-26T11:10:00+00:00

I feel like a grave digger on this topic , but here we go for anyone else. Not all chipsets are the same , to better understand what I mean is that there are some wireless cards that just cannot do what you want it to do. Go to http://www.aircrack-ng.org/doku.php?id=compatibility_drivers .
There you will find what wireless cards can do what etc. The wireless card does make the difference.

Portablegamemaster