Wireshark-users: Re: [Wireshark-users] cannot capture packets from wifirouter(Netgear WNDR3700).
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 1 Dec 2011 17:02:49 -0800
On Dec 1, 2011, at 3:07 PM, Philip Anil-QBW348 wrote:

> I found the command is: sudo stop network-manager
> However, then I cannot connect to the wifi router wirelessly.

Can you capture on the Wi-Fi network?  If so, perhaps the Wi-Fi adapter+driver doesn't support sniffing in monitor mode (which is what you'll need if you want to capture, on your computer, traffic between your phone and the access point) and remaining associated with the network at the same time.

At least according to

	http://www.linuxwireless.org/en/users/Drivers

the driver for your adapter (Intel Centrino Advanced-N 6200 AGN) is the "iwlagn" driver, but according to

	http://intellinuxwireless.org/

it's the "iwlwifi" driver.  I don't see any file with "iwlagn" in its name in any of the Linux source trees, so maybe the "iwlagn" driver is referring to the "iwl-agn.c" file in the iwlwifi driver or something such as that.

Intel's page appears to suggest that the iwlwifi driver uses the mac80211 framework, and the code in the 2.6.32.4 kernel tree seems to suggest so as well.

I got an email from somebody that speaks of NetworkManager turning monitor mode off from an interface which is using "the old wext stuff", which presumably means "using the Wireless Extensions rather than mac80211".  You were using iwconfig, which is, I think, "the old wext stuff".

The page at

	http://www.linuxwireless.org/en/users/Drivers

says the Intel Centrino Advanced-N 6200 AGN adapter and the "iwlagn" driver do *not* support monitor mode.  However, it says all *other* Intel adapters don't support it, either, but there are some references to it in the 2.6.32.4 kernel iwlwifi driver, so perhaps the linuxwireless.org page is not up to date.

You might try using the airmon-ng script:

	http://www.aircrack-ng.org/doku.php?id=airmon-ng

from the aircrack-ng project. Note the "mac80211 drivers monitor mode" section:

	See mac80211 versus ieee80211 stacks for some background information.

	When using the mac80211 version of a driver, the use of airmon-ng and the aircrack-ng tools are slightly different.

	Running:

	 airmon-ng start wlan0
	Gives something like:

	 Interface   Chipset      Driver
 
	 wlan0      Intel 4965 a/b/g/n   iwl4965 - [phy0]
	          (monitor mode enabled on mon0)

	Notice that it created “mon0”. You must then use “mon0” in all the subsequent aircrack-ng tools as the injection interface.

	To remove monitor mode enter:

	 airmon-ng stop mon0

If it succeeds in creating a "mon0" interface, try capturing on that.  (Do *NOT* use iwconfig!)

This may allow you to capture traffic in monitor mode while you're still associated with the network (*IF* the hardware and driver support that, and if NetworkManager doesn't "helpfully" turn monitor mode off).  You'd have to restart NetworkManager and then try the airmon-ng script.

If that works, try removing monitor mode with the "airmon-ng stop mon0" command, and then try running Wireshark and checking the "Monitor mode" checkbox when capturing on wlan0.

Let us know whether any of that works.