Hi, I've been using at least D-Link DWA-160 adapter and some Intel wireless adapters successfully without setting this flag so I guess the problem is driver specific. I just uploaded a patch to have wireshark set the otherbss flag when the monitor interface is created here: https://code.wireshark.org/review/13219
Do you know of an easy way to check whether the flag is set? I tried it with my D-Link adapter and it still works but haven't verified that the patch really does what it is supposed to do. When building make sure the configure output contains this line: checking for NL80211_MNTR_FLAGS... yes /Mikael 2016-01-04 17:52 GMT+01:00 Roger James <[email protected]>: > Hi, > > Whenever I use the wireshark wireless toolbar to set up a monitor mode > interface, I only ever see broadcast frames, multicast frames (and unicast > frames if they are addressed to the BSS that the monitor interface is > sitting on). It appears that after the introduction of monitor mode flags in > nl80211 that default for monitor (virtual) interfaces is to leave the driver > BSS filter active. The filter is only disabled if the "otherbss" monitor > flag is set. I have verified this by manually setting the "otherbss" flag > using the iw tool. > > I seems to me that from a wireshark perspective a user would expect for a > "monitor" interface to be naturally "promiscuous". So it would be good if > Wireshark could ensure this flag was set by default. > > I have been trying to determine how to hack this to do this in the wireshark > code, but am somewhat overawed by the complexity and number of different > ways the nl80211 stuff is accessed by wireshark. It appears that monitor > interfaces can be created either in wireshark or in dumpcap or in libpcap. > > I really do not want to have to learn the whole wireshark architecture. So I > would appreciate some pointers to where I should hack this in. So I can get > back to debugging a very obscure wireless problem :-). > > Also, I am surprised that this is not been bugged. That makes me think I > have missed something obvious. So can anyone else verify this. > > Just use the wireless toolbar to create a monitor interface. This appears to > happen when you select a candidate interface and set its frequency. The > interface should then be visible using ifconfig -a (the usual caveats about > interference from network manager etc. apply). If you run a capture and see > anything other than the BSS of the hardware you are using, or broadcast, or > multicast in the destination address, then my theory has crashed and burned. > If not, try the same test but before you run the capture try "iw dev > phyX.mon set monitor otherbss" where X is whatever wireshark has used. You > should then see the other packets. > > Cheers, > > Roger > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
