[Winpcap-users] rpcapd under linux - no interfaces returned to wireshark when wlan0 is available?

Thu Jan 8 07:45:02 UTC 2015

Hi There,

i'm new to pcap and i'm not that much advanced with custom compilation
(under any OS) so thanks for your patience in advance!

And sorry for the long post, but i wanted to be as precise as possible
and give you as much info as i could already find out.

I think it is best to start explaining what i want to accomplish, then
what i tried to do to get there.

My goal is to have a network setup that allows network tracing of
clients that are connected to a wifi hotspot and can access the internet
from there. I want to be able to see the client traffic from an extra
(windows) machine running wireshark. Ideally this environment is highly
portable.

This setup is mainly for the purpose of protocol analysis within our
quality assurance department for mobile phones.

To make the environment portable, my current setup is as follows:

I'm running a Raspberry Pi with debian wheezy. The Eth0 interface is
connected to a network which has internet access.

I was able to compile rpcapd from the winpcap sources (latest version:
https://www.winpcap.org/install/bin/WpcapSrc_4_1_3.zip)  using the
instructions i found here:
http://www.pawelko.net/compiling-rpcapd-for-linux/).

Now rpcapd runs on the raspberry and from my windows machine i can use
wireshark (latest version: 1.2.2) to connect to rpcapd and i can see the
interfaces. And if i start a trace, i can see the packets that are
flying by eth0 on the raspberry. Very nice.

So far, so good. This setup is working.

Now the problem:

To have a hotspot that the clients can connect to, the raspberry i am
using an Edimax USB WiFi NIC, which becomes wlan0.

As soon as i plug in wlan0 and it becomes available in ifconfig, i can
not retrieve ANY interfaces with wireshark.
When i try to add a remote adapter it simpyl returns an error message
that no interfaces can be retrieved.

When i unplub wlan0 and reboot - it works.

Now i tried to find out what the problem is and while i was connecting
with one wireshark instance to rpcapd, i used another wireshark instance
to trace the network traffic of the other wireshark.

In the trace i could see that wirehsark is successfully connecting to
rpcapd and authentication seems okay, but after wireshark sends

Remote Packet Capture, Find all interfaces request
0000   00 02 00 00 00 00 00 00                          ........

The rpcad responds with
ACK
FIN,  ACK

and then the connection is closed.

When i unplug the the wlan0 NIC, i can not see the "find all interfaces
request" any more, but at least i can find eth0 in the packets and in
the end the interfaces show up in wireshark.

Now - finally - come my questions, if you not already have guessed it:

Does winpcap running on linux not support wlan0 interface at all?

What could i do to further trouble shoot this?

All i can tell for sure is, if wlan0 shows up in ifconfig, rpcapd does
not return anything. If i remove the edimax from USB and it does not
show up anymore in ifconfig (reboot + restart of rpcapd included) i can
successfully use wireshark + rpcapd.

I would be very happy if someone could shed some light into this dark
problem.

Let me know whether you need more info which could help debugging this!

I took to traces of the connection attempts to rpcapd and put them on my
dropbox in case this helps anyone further analysing this. I'm not very
optimistic but maybe it does.

https://www.dropbox.com/sh/sko5izb7fifrtuk/AAB6mSC3oVpamtENOwMpzI5Ba?dl=0

I guess perhaps some debugging on the linux machine would help more, but
i don' know how to accomplish this, maybe someone can help out.

Thanks a lot!

br
Gerd Root