Wireshark-users: Re: [Wireshark-users] cannot capture packetsfromwifirouter(NetgearWNDR3700).
From: Philip Anil-QBW348 <anil.philip@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 6 Dec 2011 11:35:57 -0500
Title: RE: [Wireshark-users] cannot capture packetsfromwifirouter(NetgearWNDR3700).

I had upgraded to ubuntu 11.10.
$ dpkg --get-selections | grep libpcap
libpcap0.8                                      install

>From the above, is it using libpcap 0.8 ?

Anil

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx on behalf of Guy Harris
Sent: Tue 12/6/2011 3:03 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] cannot capture packetsfromwifirouter(NetgearWNDR3700).


On Dec 5, 2011, at 2:49 PM, Philip Anil-QBW348 wrote:

> I tried to check the checkbox. As I depress the box, it grays out and then re-enables.
> (almost as though it is being disabled, cleared and then re-enabled).

OK, this is a combination of several problems:

        1) Ubuntu 10.10 (and, I think, the Debian release from which it's built) does not build libpcap 1.1.1 with libnl, which means that libpcap's monitor-mode APIs don't support the Shiny New mac80211 Mechanism, and end up using the old Wireless Extensions stuff;

        2) libpcap 1.1.1's code to use the old Wireless Extension stuff to handle monitor mode had a number of bugs, which means that its monitor-mode APIs don't work correctly when using the old Wireless Extension stuff, and cause dumpcap to report an error;

        3) Wireshark wasn't reporting the error it got from dumpcap in that case - it was briefly disabling the "monitor mode" checkbox (because its attempt to get information such as the link-layer header types in monitor mode failed because libpcap couldn't put the interface in monitor mode), then clearing the checkbox (because it failed to put the interface in monitor mode), and then re-enabling it (because the API it originally used to check whether monitor mode was supported *without* actually attempting to put the interface into monitor mode said monitor mode *is* supported).

I've checked into the trunk and 1.6 branches a fix for the third problem; it should now pop up an error message box if you try to check the monitor mode checkbox on platforms with the libpcap problems in question.  The error message will refer you to the CaptureSetup/WLAN page in the Wireshark Wiki:

        http://wiki.wireshark.org/CaptureSetup/WLAN

but it should really specifically refer you to

        http://wiki.wireshark.org/CaptureSetup/WLAN#Linux

I'll fix it to do so later.  The 1.6 branch changes should also go into 1.4, so they show up in the next 1.4.x release as well as the next 1.6.x releasxe.

I've checked into the libpcap trunk and 1.2 branches a fix for the second problem, so they should show up in any future 1.2.x release (there are enough bug fixes that tcpdump.org should consider doing a 1.2.x release - and announce it so that various OSes pick it up) as well as any 1.3.0 release when it comes out.  When that'll happen, I don't know, and I don't know whether any of the Linux distributions with this issue would pick it up as an update to existing releases or whether you'd have to wait for a future release.  Given that anything short of Sid appears to have Wireshark 1.*2*.x as the Wireshark version, people who run into this are probably building Wireshark from source anyway, so they might end up picking up the fix for the third problem - monitor mode won't work well with the checkbox or the -I option, but at least it'll let you know something went wrong and point you at the Wireshark Wiki, which suggests using airmon-ng in that case.

I've sent mail to Romain Francoise (is there supposed to be a cedilla there?), the Debian maintainer for libpcap, about the first problem.  Hopefully the fix is as simple as declaring libnl to be one of libpcap's dependencies.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe