F.Y.I. I also sent this to the Wireshark user's list to see if someone there can help me.
------
I'm trying to sniff my Wifi for a project, so I purchased a TP-Link WN722N USB adapter and followed the various instructions I've found on the Web. (I don't know if it's a Wireshark issue, a driver issue, or a Fedora issue.)
ip link set wlan0 down iw wlan0 set monitor none ip link set wlan0 up
When I plugged the adapter in I saw a new device 'wlp0s20f0u3' in addition to my internal adapter 'wlps20'.
Using the instructions, it failed: # iw set wlp0s20f0u3 down # iw wlp0s20f0u3 set monitor none command failed: No such device (-19)
--> I don't know why?
So now that I have 2 adapters, I enabled the TPLink as my network connection (successfully) and tried to put my on-board adapter into monitor mode, instead:
# iw wlp2s0 set monitor none # iwconfig wlp2s0 IEEE 802.11 Mode:Monitor Tx-Power=22 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on # iplink set wlp2s0 up #
It looks good, so I start Wireshark (v 2.28) (Fedora 26), and look at Wireshark's 'capture options' table, it shows the interface, but under the heading 'Mon Mode', it shows disabled. (I also have 'Use promiscuous mode on all interfaces' enabled.)
--> Why does it show disabled? --> Is it really disabled ? --> How do I know which frequencies (or bands) it might be listening on?
I started sniffing, but it doesn't capture anything.
... And after about 2 minutes, I get a pop-up error message from Wireshark saying: "The network adapter on which the capture was being done is no longer running; the capture has stopped."
Where to start ?
Thanks Fulko
On 9/28/20 5:08 PM, Fulko Hew wrote:
I'm trying to sniff my Wifi for a project, so I purchased a TP-Link WN722N USB adapter and followed the various instructions I've found on the Web. When I plugged the adapter in I saw a new device 'wlp0s20f0u3' in addition to my internal adapter 'wlps20'.
It looks good, so I start Wireshark (v 2.28) (Fedora 26),
If that's the version you're using, there's no point asking here for help. Why are you using something so old?
and look at Wireshark's 'capture options' table, it shows the interface, but under the heading 'Mon Mode', it shows disabled.
In current Wireshark, that's a checkbox that you can click to turn monitor mode on or off.
I will give you instructions for current Fedora, but I can't help with any issues caused by what you're running.
Run "nmcli dev" to find out what the device is called. In my case I get a line like: wlo1 wifi connected Auto myssid If it doesn't say "unmanaged", then you need to tell NetworkManager that you want to control the device. Otherwise you will have that problem where the interface gets taken away from Wireshark. I will assume that "wlp0s20f0u3" is your device.
nmcli dev set wlp0s20f0u3 managed off
Now, just run Wireshark, check the monitor box for the interface and you're done.
On Mon, Sep 28, 2020 at 8:47 PM Samuel Sieb samuel@sieb.net wrote:
On 9/28/20 5:08 PM, Fulko Hew wrote:
I'm trying to sniff my Wifi for a project, so I purchased a TP-Link WN722N USB adapter and followed the various instructions I've found on the Web. When I plugged the adapter in I saw a new device 'wlp0s20f0u3' in
addition
to my internal adapter 'wlps20'.
It looks good, so I start Wireshark (v 2.28) (Fedora 26),
If that's the version you're using, there's no point asking here for help. Why are you using something so old?
Because that's what I currently have installed, and (rightly or wrongly) I'm afraid to do a 'dnf upgrade'. I've only ever done full installs and reloads... so I'm afraid of the unknown.
I do have another box running F32, that I could test on. It would be a different configuration, but I could try it.
and look at Wireshark's 'capture options' table, it shows the interface,
but under the heading 'Mon Mode', it shows disabled.
In current Wireshark, that's a checkbox that you can click to turn monitor mode on or off.
I will give you instructions for current Fedora, but I can't help with any issues caused by what you're running.
Run "nmcli dev" to find out what the device is called. In my case I get a line like: wlo1 wifi connected Auto myssid If it doesn't say "unmanaged", then you need to tell NetworkManager that you want to control the device. Otherwise you will have that problem where the interface gets taken away from Wireshark. I will assume that "wlp0s20f0u3" is your device.
nmcli dev set wlp0s20f0u3 managed off
yes, as per my previous message, I did turn 'manage' off.
Now, just run Wireshark, check the monitor box for the interface and you're done.
OK, I'll try testing with the other box tomorrow.
On 9/28/20 8:38 PM, Fulko Hew wrote:
On Mon, Sep 28, 2020 at 8:47 PM Samuel Sieb <samuel@sieb.net mailto:samuel@sieb.net> wrote: On 9/28/20 5:08 PM, Fulko Hew wrote: > It looks good, so I start Wireshark (v 2.28) (Fedora 26),
If that's the version you're using, there's no point asking here for help. Why are you using something so old?Because that's what I currently have installed, and (rightly or wrongly) I'm afraid to do a 'dnf upgrade'. I've only ever done full installs and reloads... so I'm afraid of the unknown.
It's "dnf system-upgrade" now and it works great. However, you're so far behind now that you might as well just do a re-install.
you want to control the device. Otherwise you will have that problem where the interface gets taken away from Wireshark. I will assume that "wlp0s20f0u3" is your device. nmcli dev set wlp0s20f0u3 managed offyes, as per my previous message, I did turn 'manage' off.
I don't see anything in your first message about that. Is there another thread going on the wireshark list?
On Tue, Sep 29, 2020 at 12:30 AM Samuel Sieb samuel@sieb.net wrote: ... snip ...
It's "dnf system-upgrade" now and it works great. However, you're so far behind now that you might as well just do a re-install.
you want to control the device. Otherwise you will have that problem where the interface gets taken away from Wireshark. I will assumethat
"wlp0s20f0u3" is your device. nmcli dev set wlp0s20f0u3 managed offyes, as per my previous message, I did turn 'manage' off.
I don't see anything in your first message about that. Is there another thread going on the wireshark list?
No, no other thread. In the original email I used iw command to turn manage off.
Anyway, I've now switched to testing on my F32 box.
[root@localhost fhew]# nmcli dev set wlp2s0f0u4 managed off [root@localhost fhew]# nmcli dev DEVICE TYPE STATE CONNECTION enp5s0 ethernet connected Wired connection 1 lo loopback unmanaged -- wlp2s0f0u4 wifi unmanaged -- [root@localhost fhew]# iwconfig lo no wireless extensions.
enp5s0 no wireless extensions.
wlp2s0f0u4 unassociated ESSID:"" Nickname:"WIFI@REALTEK" Mode:Managed Frequency=2.412 GHz Access Point: Not-Associated Sensitivity:0/0 Retry:off RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality:0 Signal level:0 Noise level:0 Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0
So now nmcli says it's unmanaged but iwconfig says it IS managed. and BTW. NetworkManager doesn't even have the interface as one of it's options, it only lists my Ethernet connector.
So I also tried both of the following to enable monitor:
[root@localhost fhew]# iw wlp2s0f0u4 set monitor none command failed: No such device (-19)
[root@localhost fhew]# iwconfig wlp2s0f0u4 mode monitor Error for wireless request "Set Mode" (8B06) : SET failed on device wlp2s0f0u4 ; Invalid argument.
and neither worked. So I'm back to thinking it's a driver issue.
P.S. Looking at the newer Wireshark, I still didn't see a 'monitor' button. Perhaps it's because the wi-fi driver isn't supporting it?
On 9/29/20 10:33 AM, Fulko Hew wrote:
No, no other thread. In the original email I used iw command to turn manage off.
wlp2s0f0u4 wifi unmanaged --
wlp2s0f0u4 unassociated ESSID:"" Nickname:"WIFI@REALTEK" Mode:Managed Frequency=2.412 GHz Access Point: Not-Associated
So now nmcli says it's unmanaged but iwconfig says it IS managed.
Ok, that is a little confusing. The nmcli "managed" means that NetworkManger is handling the device. The iwconfig "managed" is referring to the mode that the wifi device is in.
So I also tried both of the following to enable monitor:
[root@localhost fhew]# iw wlp2s0f0u4 set monitor none command failed: No such device (-19)
That can't be the actual command you ran, because it's not valid. You're missing a "dev".
[root@localhost fhew]# iwconfig wlp2s0f0u4 mode monitor Error for wireless request "Set Mode" (8B06) : SET failed on device wlp2s0f0u4 ; Invalid argument.
and neither worked. So I'm back to thinking it's a driver issue.
Yes, that seems very likely to be the reason for both those commands failing.
P.S. Looking at the newer Wireshark, I still didn't see a 'monitor' button. Perhaps it's because the wi-fi driver isn't supporting it?
When you open the capture options dialog, you might need to scroll to the right to see the monitor checkbox.
-
Fulko Hew -
Samuel Sieb