[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-dev
Subject: Re: [Wireshark-dev] Why "Monitor Mode" column still showed "n/a" when pcap_can_set_rfmon() function
From: Yang Luo <hsluoyb () gmail ! com>
Date: 2016-05-18 16:05:53
Message-ID: CAM_tFoZEH6mLuK2=kSFTHHCywfTWWCoMa1ZEV+W4JmXvAXsX+g () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Pascal,
The cause is that pcap_can_set_rfmon() is not exported. After I export
it, Capture
Interfaces window still shows "disabled" in "Monitor Mode" column.
But there's another issue. The dumpcap.exe will crash when launching
Wireshark. After some debugging, I found the cause:
My pcap_can_set_rfmon() implementation is the following
pcap_can_set_rfmon_win32
function.
/*
* Check if rfmon mode is supported on the pcap_t for Windows systems.
*/
static int
pcap_can_set_rfmon_win32(pcap_t *p)
{
return PacketIsMonitorModeSupported(p->adapter);
}
And it calls the PacketIsMonitorModeSupported() function in Packet.dll.
This function calls PacketRequest to send a Query OID request
(OID_DOT11_OPERATION_MODE_CAPABILITY) like Guy said. And PacketRequest call
needs the adapter to be opened first.
So it seems that Wireshark should open the adapter before querying whether
it supports monitor mode, which it's not the case currently.
I find it paradox because there are so many functions that need to send
Query/Set OID requests. So I looked at them and found most OID requests are
"Set" ones like pcap_set_buffer_size() . It doesn't immediately
call PacketSetBuff(). It just records the value and set that value when
calling pcap_activiate_win32(). However, functions that need to "Query"
OIDs couldn't do this, because the value needs to be obtained at once. It
can't be postponed to calling pcap_activiate_win32(). I found
only pcap_stats_ex() is in this category. It calls PacketGetStatsEx which
tries to query an OID. But this pcap_stats_ex() function is never used in
Wireshark.
So I want to know how to solve this? Is it possible to make Wireshark open
the adapter first before querying whether it supports monitor mode?
Or we can do it in a simpler way. First we determine whether the adapter is
an wireless adapter. If it's not a wireless adapter, we don't even need to
know whether it has monitor mode support. BTW, do you know any built-in
method to know whether an adapter is a wireless one? I only know one method:
1) use "netsh wlan show interfaces" to show all the names of wireless
adapters
2) compare the pcap_t adapter name with the above names, if there's a
match, then it's a wireless adapter.
But I don't think it's very good. Wait for better solutions?
And considering that most of wireless adapters support monitor mode (at
least I didn't know anyone said his adapter doesn't support it), we can
just safely return TRUE in pcap_can_set_rfmon_win32() for any wireless
adapter. So the "Query" OID request is no longer needed.
Cheers,
Yang
On Wed, May 18, 2016 at 5:51 PM, Pascal Quantin <pascal.quantin@gmail.com>
wrote:
> Hi Yang,
>
> 2016-05-17 19:02 GMT+02:00 Yang Luo <hsluoyb@gmail.com>:
>
> > Hi list,
> >
> > I'm using Wireshark 2.1.0-3054-gad4d0b8. I found that after I made
> > pcap_can_set_rfmon() function in Npcap always return 1. The Capture
> > Interfaces window still shows "n/a" in "Monitor Mode" column.
> >
> > J:\npcap\wpcap\libpcap\pcap.c:
> >
> > /*
> > * Returns 1 if rfmon mode can be set on the pcap_t, 0 if it can't,
> > * a PCAP_ERROR value on an error.
> > */
> > int
> > pcap_can_set_rfmon(pcap_t *p)
> > {
> > return 1;
> > //return (p->can_set_rfmon_op(p));
> > }
> >
> >
> > I have analyzed the code flow:
> >
> >
> > 1)
> > https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/ui/qt/capture_interfaces_dialog.cpp#L528
> > ti->setText(col_monitor_, QString(device->monitor_mode_supported?
> > (device->monitor_mode_enabled ? tr("enabled") : tr("disabled")) :
> > tr("n/a")));
> > The key is:
> > device->monitor_mode_supported
> >
> > 2)
> > https://github.com/wireshark/wireshark/blob/73957b4f44054a5f5fd013cf64b0bf80d8afd6e1/ui/qt/manage_interfaces_dialog.cpp#L599
> > device.monitor_mode_supported = caps->can_set_rfmon;
> > The key is:
> > caps->can_set_rfmon
> >
> > 3)
> > https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/caputils/capture-pcap-util.c#L1021
> > status = pcap_can_set_rfmon(pch);
> > The key is:
> > pcap_can_set_rfmon()
> >
> > So this call sequence shows that if pcap_can_set_rfmon() returns 1, the
> > "Monitor Mode" column should show "enabled" or "disabled", not "n/a". So
> > what am I missing here?
> >
>
> I just tested v2.1.0rc0-3090-g886e2bf with the following patch applied:
> diff --git a/caputils/capture-wpcap.c b/caputils/capture-wpcap.c
> index 5094375..e5a2661 100644
> --- a/caputils/capture-wpcap.c
> +++ b/caputils/capture-wpcap.c
> @@ -495,6 +495,7 @@ int
> pcap_can_set_rfmon(pcap_t *a)
> {
> g_assert(has_wpcap);
> + return 1;
> if (p_pcap_can_set_rfmon != NULL) {
> return p_pcap_can_set_rfmon(a);
> }
> return 0;
>
> And the Qt GUI correctly displays "disabled".
> So presumably p_pcap_can_set_rfmon is NULL.
>
> Is pcap_can_set_rfmon() symbol exported by your wpcap.dll? Can you share a
> npcap test build?
>
> Regards,
> Pascal.
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@wireshark.org
> ?subject=unsubscribe
>
[Attachment #5 (text/html)]
<div dir="ltr">Hi Pascal,<div><br></div><div>The cause is that <span \
style="font-size:12.8px">pcap_can_set_rfmon() is not exported. After I export it, \
</span><span style="font-size:12.8px">Capture Interfaces window still shows \
"disabled" in "Monitor Mode" column.</span></div><div><span \
style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">But \
there's another issue. The dumpcap.exe will crash when launching Wireshark. After \
some debugging, I found the cause:</span></div><div><span style="font-size:12.8px">My \
</span><span style="font-size:12.8px">pcap_can_set_rfmon() implementation is the \
following </span><span style="font-size:12.8px">pcap_can_set_rfmon_win32 \
function.</span></div><div><span \
style="font-size:12.8px"><br></span></div><div><div><div><span \
style="font-size:12.8px">/*</span></div><div><span style="font-size:12.8px">* Check \
if rfmon mode is supported on the pcap_t for Windows systems.</span></div><div><span \
style="font-size:12.8px">*/</span></div><div><span style="font-size:12.8px">static \
int</span></div><div><span style="font-size:12.8px">pcap_can_set_rfmon_win32(pcap_t \
*p)</span></div><div><span style="font-size:12.8px">{</span></div><div><span \
style="font-size:12.8px"><span class="" style="white-space:pre"> </span>return \
PacketIsMonitorModeSupported(p->adapter);</span></div><div><span \
style="font-size:12.8px">}</span></div></div></div><div><span \
style="font-size:12.8px"><br></span></div><div><span \
style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">And it \
calls the </span><span style="font-size:12.8px">PacketIsMonitorModeSupported() \
function in Packet.dll. This function calls PacketRequest to send a Query OID \
request (OID_DOT11_OPERATION_MODE_CAPABILITY) like Guy said. And </span><span \
style="font-size:12.8px">PacketRequest</span><span style="font-size:12.8px"> call \
needs the adapter to be opened first.</span></div><div><span \
style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">So it \
seems that Wireshark should open the adapter before querying whether it supports \
monitor mode, which it's not the case currently.</span></div><div><span \
style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">I find \
it paradox because there are so many functions that need to send Query/Set OID \
requests. So I looked at them and found most OID requests are "Set" ones \
like pcap_set_buffer_size() . It doesn't immediately call PacketSetBuff(). It \
just records the value and set that value when calling pcap_activiate_win32(). \
However, functions that need to "Query" OIDs couldn't do this, because \
the value needs to be obtained at once. It can't be postponed to calling \
</span><span style="font-size:12.8px">pcap_activiate_win32(). I found only \
pcap_stats_ex() is in this category. It calls PacketGetStatsEx which tries to query \
an OID. But this </span><span style="font-size:12.8px">pcap_stats_ex() function is \
never used in Wireshark.</span></div><div><span \
style="font-size:12.8px"><br></span></div><div>So I want to know how to solve this? \
Is it possible to make Wireshark open the adapter first before querying whether it \
supports monitor mode?</div><div>Or we can do it in a simpler way. First we determine \
whether the adapter is an wireless adapter. If it's not a wireless adapter, we \
don't even need to know whether it has monitor mode support. BTW, do you know any \
built-in method to know whether an adapter is a wireless one? I only know one \
method:</div><div>1) use "netsh wlan show interfaces" to show all the names \
of wireless adapters</div><div>2) compare the pcap_t adapter name with the above \
names, if there's a match, then it's a wireless adapter.</div><div>But I \
don't think it's very good. Wait for better \
solutions?</div><div><br></div><div>And considering that most of wireless adapters \
support monitor mode (at least I didn't know anyone said his adapter doesn't \
support it), we can just safely return TRUE in <span \
style="font-size:12.8px">pcap_can_set_rfmon_win32() for any wireless adapter. So the \
"Query" OID request is no longer needed.</span></div><div><span \
style="font-size:12.8px"><br></span></div><div><span \
style="font-size:12.8px"><br></span></div><div><span \
style="font-size:12.8px">Cheers,</span></div><div><span \
style="font-size:12.8px">Yang</span></div><div><span \
style="font-size:12.8px"><br></span></div><div><span \
style="font-size:12.8px"><br></span></div><div><div style=""><br></div></div><div \
style=""><span style="font-size:12.8px"><br></span></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Wed, May 18, 2016 at 5:51 PM, \
Pascal Quantin <span dir="ltr"><<a href="mailto:pascal.quantin@gmail.com" \
target="_blank">pascal.quantin@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Hi Yang,<br><div class="gmail_extra"><br><div \
class="gmail_quote"><div><div class="h5">2016-05-17 19:02 GMT+02:00 Yang Luo <span \
dir="ltr"><<a href="mailto:hsluoyb@gmail.com" \
target="_blank">hsluoyb@gmail.com</a>></span>:<br><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi list,<div><br></div><div>I'm \
using Wireshark 2.1.0-3054-gad4d0b8. I found that after I made pcap_can_set_rfmon() \
function in Npcap always return 1. The Capture Interfaces window still shows \
"n/a" in "Monitor Mode" \
column.</div><div><br></div><div>J:\npcap\wpcap\libpcap\pcap.c:<br></div><div><br></div><div><div>/*</div><div> \
* Returns 1 if rfmon mode can be set on the pcap_t, 0 if it can't,</div><div> * \
a PCAP_ERROR value on an error.</div><div> \
*/</div><div>int</div><div>pcap_can_set_rfmon(pcap_t *p)</div><div>{</div><div><span \
style="white-space:pre-wrap"> </span>return 1;</div><div><span \
style="white-space:pre-wrap"> </span>//return \
(p->can_set_rfmon_op(p));</div><div>}</div></div><div><br></div><div><br></div><div>I \
have analyzed the code flow:</div><div><br><div><br></div><div><div>1) <a \
href="https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/ui/qt/capture_interfaces_dialog.cpp#L528" \
target="_blank">https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf73 \
16b625efe0767e/ui/qt/capture_interfaces_dialog.cpp#L528</a></div><div>ti->setText(col_monitor_, \
QString(device->monitor_mode_supported? (device->monitor_mode_enabled ? \
tr("enabled") : tr("disabled")) : \
tr("n/a")));</div><div>The key \
is:</div><div>device->monitor_mode_supported</div><div><br></div><div>2) <a \
href="https://github.com/wireshark/wireshark/blob/73957b4f44054a5f5fd013cf64b0bf80d8afd6e1/ui/qt/manage_interfaces_dialog.cpp#L599" \
target="_blank">https://github.com/wireshark/wireshark/blob/73957b4f44054a5f5fd013cf64 \
b0bf80d8afd6e1/ui/qt/manage_interfaces_dialog.cpp#L599</a></div><div>device.monitor_mode_supported \
= caps->can_set_rfmon;</div><div>The key \
is:</div><div>caps->can_set_rfmon</div><div><br></div><div>3) <a \
href="https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/caputils/capture-pcap-util.c#L1021" \
target="_blank">https://github.com/wireshark/wireshark/blob/07fb53b063bcd4c2c67706cf7316b625efe0767e/caputils/capture-pcap-util.c#L1021</a></div><div>status \
= pcap_can_set_rfmon(pch);</div><div>The key \
is:</div><div>pcap_can_set_rfmon()</div></div></div><div><br></div><div>So this call \
sequence shows that if pcap_can_set_rfmon() returns 1, the "Monitor Mode" \
column should show "enabled" or "disabled", not "n/a". \
So what am I missing here?</div></div></blockquote><div><br></div></div></div><div>I \
just tested v2.1.0rc0-3090-g886e2bf with the following patch applied:<br>diff --git \
a/caputils/capture-wpcap.c b/caputils/capture-wpcap.c<br>index 5094375..e5a2661 \
100644<br>--- a/caputils/capture-wpcap.c<br>+++ b/caputils/capture-wpcap.c<br>@@ \
-495,6 +495,7 @@ int<br> pcap_can_set_rfmon(pcap_t *a)<br> {<br> \
g_assert(has_wpcap);<br>+ return 1;<br> if \
(p_pcap_can_set_rfmon != NULL) {<br> return \
p_pcap_can_set_rfmon(a);<br> }<br></div><div> return \
0;<br></div><div><br></div><div>And the Qt GUI correctly displays \
"disabled".<br></div><div>So presumably p_pcap_can_set_rfmon is \
NULL.<br><br></div><div>Is pcap_can_set_rfmon() symbol exported by your wpcap.dll? \
Can you share a npcap test \
build?<br><br></div><div>Regards,<br></div><div>Pascal.<br></div></div></div></div> \
<br>___________________________________________________________________________<br> \
Sent via: Wireshark-dev mailing list <<a \
href="mailto:wireshark-dev@wireshark.org">wireshark-dev@wireshark.org</a>><br>
Archives: <a href="https://www.wireshark.org/lists/wireshark-dev" \
rel="noreferrer" target="_blank">https://www.wireshark.org/lists/wireshark-dev</a><br>
Unsubscribe: <a href="https://wireshark.org/mailman/options/wireshark-dev" \
rel="noreferrer" target="_blank">https://wireshark.org/mailman/options/wireshark-dev</a><br>
mailto:<a href="mailto:wireshark-dev-request@wireshark.org">wireshark-dev-request@wireshark.org</a>?subject=unsubscribe<br></blockquote></div><br></div>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic