I could not capture any packets when using wireshark with npcap in Monitor Mode

[w1nww]

Dear Doctor Luo： I could not capture any packets when using Wireshark with npcap over my WLAN Adapter。I tried to toggle Monitor Mode in Wireshark and WlanHelper both。

My Adapter is INTEL adv N6205。

[hsluoyz]

Hi @wInstonwU , please provide 3 files based on docs here:

1. Diagnostic report (DiagReport)
2. install.log
3. NPFInstall.log

You can upload them to this GitHub conversation.

[w1nww]

install.log.txt NPFInstall.log.txt DiagReport-20170103-110936.txt

hi,dear Doctor LUO: @hsluoyz

I am appreciate for your reply. Attachment is the file provided what you metioned. As the supportion of file format, i changed the name of "install.log" to "install.log.txt“ and "NPFInstall.log" to "NPFInstall.log.txt“

Thanks again. 罗博士。

[hsluoyz]

I noticed you are using a Intel(R) Centrino(R) Advanced-N 6205 wireless adapter. Please verify that adapter actually supports monitor mode. You can run: WlanHelper.exe 03987483-2570-4B56-A230-9B082D6AD3AB modes to get the supported modes. You can print your output of that command here.

[w1nww]

I have run it as your advice, like the screenshot below

Thanks again @hsluoyz

[hsluoyz]

Well. It seems that your adapter supports monitor mode. You can run: WlanHelper.exe 03987483-2570-4B56-A230-9B082D6AD3AB mode monitor to set it to monitor mode and print its output here.

[w1nww]

I think my Apdater went to Monitor Mode success like the screenshot below. Thanks again.

[hsluoyz]

Don't switch on monitor mode via WlanHelper.exe if you are capturing with Wireshark. Here're the steps:

1. Make sure your adapter is in Managed Mode (like turning off monitor mode via WlanHelper.exe).
2. Launch WireShark GUI. Then check the monitor mode option in its GUI (QT GUI and GTK GUI is slightly different for this option's location) and then start capturing.
3. Confirm whether you start receiving the wireless packets.

[w1nww]

I think I had performed like that which you metioned 1,2,3 when i saw your relay in other issues yestorday. For insurance that i performed it again:

1.Make sure your adapter is in Managed Mode (like turning off monitor mode via WlanHelper).

I toggled it to Managed Mode and I can run scanning as normal like below

2.Launch WireShark GUI. Then check the monitor mode option in its GUI (QT GUI and GTK GUI is slightly different for this option's location) and then start capturing.

I check on the checkbox in Wireshark and click "开始" like below

3.Confirm whether you start receiving the wireless packets.

I still could not capture any raw 802.11 packets in Monitor Mode like below

By the way,I can capture fake Ehthernet packets with that apdater out of Monitor Mode,like below

thanks again

[hsluoyz]

Right now I can't think of other reasons than the wireless adapter itself. Maybe your adapter has poor support for monitor mode/Npcap.

Can you afford to purchase a USB adapter like NetGear A6200 adapter? I can assure you it will work because that's the adapter I use to develop Npcap.

[w1nww]

hi,doctor Luo: @hsluoyz I have test in several situations,I found that all INTEL adapter(aha,just two) in my hand could not work on Monitor Mode. look at sreenshot below

The advice you gived me upon to purchase a adapter remained me that I have a NETGEAR WNDA3100v2 adapter. it is success working on Monitor Mode I have tried to test with other adapter(Realtek RTL8188CU) in my hand and it is success working on Monitor Mode too.

Could you do some analysis with INTEL adapter if you are willing to.

You are my beacon. THANKS ALL THE TIME.

[hsluoyz]

The on-board wireless adapter in my laptop is Intel(R) Dual Band Wireless-AC 3165:

And it even doesn't support mode (by running WlanHelper). So I bought the NETGEAR USB adapter. It seems that most of on-board Intel adapters just don't support monitor mode.

I'm willing to do some analysis on more Intel adapters, the problem is I don't have any others. It's even on-board, so it means I need to get a laptop with it to test, which is even difficult for me to do it.

[w1nww]

You could just bollow or purchase（i think it is cheap，just 30-50rmb） a INTEL on-board adapter instead of buy a laptop.

Now I am sorry to bother you again. I have a new problem: the Realtek RTL8188CU adapter i mentioned (it is a USB adapter),it could not working on my laptop which on-board apdater is INTEL N6205,but it is working on the laptop which on-board apdater is INTEL N7260(metioned in sreenshot above ).also the INTEL N7260 is always not working. I confirmed that the dirver of the Realtek RTL8188CU adapterin my two laptop are same and all in WIN10 Now i am confused

[alagoutte]

@hsluoyz with old release of npcap (0.08), it is possible to capture (with wlanhelper) but with last release don't work (no possible to set monitor mode for me in Qt)

[w1nww]

hi,@alagoutte what is the meaning of

(no possible to set monitor mode for me in Qt)

and I will have a try in release of npcap(0.08)

[alagoutte]

With last release, i have no option to set to monitor mode on Wireshark

[dmiller-nmap]

I am also having trouble capturing in monitor mode. My adapter is the Alfa AC1200, which is a USB adapter with the Realtek 8812au chipset. The driver that came with it did not support monitor mode, but after I updated the driver, WlanHelper reports that it does, and so does Wireshark. But I can't capture any frames, either using Wireshark to enable monitor mode or by using WlanHelper to enable it.

One thing I found with Wireshark: if you have WinPcap installed, it will prefer that and so will not be able to see the monitor mode stuff that Npcap lets it see. So it only works when Npcap is installed on its own, and not with WinPcap or Win10Pcap.

[dmiller-nmap]

We are now tracking compatibility with various WiFi adapters on SecWiki at the Npcap/WiFi adapters page. Please ensure you are using the latest Npcap and follow the directions there for determining level of WiFi capture support. You may update this issue, edit the SecWiki page, or email us directly at dev@nmap.org with adapter info.

[omax83]

In the Linux (like airdump-ng and so on get raw dump utilites) works good for Intel N6205 internal wireless card. But in windows wireshark, commview both not work with that card. I think the problem in the Intel driver. Maybe need to find special old version, that support working good in monitor mode and with wireshark (npcap, winpcap tools). I test several hundreds of configurations and drivers, works for me in Windows 8.1 with commview and Intel driver for N 6300 AGN (instead of N6205) version 15.10.0.12 from 25.06.2013 year.