Wireshark - Help seeing all network traffic

I have a Ralink RT3290 802.11bgn Wi-Fi Adapter and am running Windows 8. Sadly although my new computer helps in the design and testing of my touch based applications, my Network Engineering abilities are in decline.

For some reason Wireshark does not display 802.11 traffic (I really want HTTP, although TCP and UDP are hard to live without) to and from other hosts on the network. I have been reading help files and what not, and am troubled to find reference to some ..adapters or drivers being crippled by design (?).

I understand the reason for this, but still it annoys me!

What I really would like is some help in getting Wireshark to work .. or perhaps a new driver that doesn't prevent promiscuous mode .. or something .. Does anyone have any ideas?

I must confess I did have one idea to study my network traffic - I downloaded a virtual router and connected my PC to the net. Then connected everything to the virtual router. It works well for most devices, although some devices behave oddly. I tested a Nintendo 3DS on it and managed to manually configure it to connect, although it disconnects randomly depending on the software I attempt to start on the 3DS (for example, a Pokemon game that I wanted to have a look at - curious to know how pokemon are sent from pokemon_gl to a 3ds, how the SYNC process works etc! Also curious to know if I can inject a packet and turn one 'pokemon' into another in transit! Such fun :D).

In short, I have millions of questions and love studying how stuff fits together, and tinkering with things. Please help me to get Wireshark working! It is easier than reprogramming my open source virtual router ..although that will be my next question if I can't get Wireshark going - be warned!

user2210276

Posted 2013-03-26T06:30:12.337

Reputation:

Answers

Wireshark doesn't support the capture of packets which are not sent from or to your machine on Windows. The monitor mode is not supported by WinPcap. You need an AirPcap adapter to make it work in Windows or otherwise try running Wireshark in Linux.

Simon

Posted 2013-03-26T06:30:12.337

Reputation: 3 831

WinPcap hooks into the Windows networking stack using an NDIS driver (that driver is part of WinPcap). It only supports the NDIS 5 that first appeared in Windows 2000 (a/k/a "NT 5.0"), not the NDIS 6 that first appeared in Windows Vista (a/k/a "NT 6.0"). Monitor mode can only be used by an NDIS 6 driver; the WinPcap NDIS 5 driver works on Vista and later, but doesn't support monitor mode.

Microsoft Network Monitor is another network analyzer for Windows; it can be downloaded for free, and, while the source to it is not available (unlike Wireshark), the structure of packets is defined in Network Monitor by text files that do come with Network Monitor and that can be modified by the user. The user can also add files for new protocols; Microsoft offers a site that hosts many of those files. Network Monitor has both NDIS 5 and NDIS 6 drivers; the NDIS 6 driver is used in Windows Vista and later, and supports monitor mode if the driver and network adapter do. Wireshark can read Network Monitor capture files.

Note that there are claims that some NDIS 6 Wi-Fi adapter drivers do not correctly support monitor mode; that would mean that even Network Monitor would have trouble with monitor mode (as would Wireshark if WinPcap were to provide an NDIS 6 driver that supported the libpcap monitor mode APIs using Native Wi-Fi).

user164970

Posted 2013-03-26T06:30:12.337

Reputation: