On Sep 22, 2025, at 9:15 AM, Michael Richardson <[email protected]> wrote:
> This happens most often in the evening, during "prime TV" time. > I think that I need to be capturing from the wifi monitor interface. > That does not seem to still be a thing, so I'm not sure what to do. It's A Long Story. At this point, there is no general-purpose OS with whose monitor-mode support doesn't annoy me in some fashion. As I understand it, for Linux, the "right" way to set up monitor mode, at least with mac80211 devices, is to create a new "virtual interface" in monitor mode, and capture on that. See https://wiki.wireshark.org/CaptureSetup/WLAN#linux - libpcap will do that *if* built with libnl, but that's not how it's built by default, so, unfortunately, the -I flag in tcpdump and {Wire,T}shark, and Wireshark's monitor-mode checkbox, don't do the job. > Some sequence of "ip link" or "iwconfig mode monitor" commands to turn the > interface on, not associated with any SSID, and just listen. But, what > channel? Whatever channel you're using on your wifi; you might have to do some channel-hopping to find it if you don't know which one it is. Sadly, adding channel-setting APIs to libpcap, and changing tcpdump/Wireshark to use them, hasn't been done. I don't know whether management frames will be encrypted (protected). If they are, you'll need to, for example, use Wireshark/TShark and provide the network password. See https://wiki.wireshark.org/HowToDecrypt802.11 (I'm not sure whether WPA3 can be handled.) > I obviously do not want to capture the entire netflix stream, but > maybe -W filecount is the right answer to avoid missing stuff. You might try using a filter to filter out 802.11 data frames and just capture management and control frames. _______________________________________________ tcpdump-workers mailing list -- [email protected] To unsubscribe send an email to [email protected] %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
