Problem Statement
Calling pcap_activate() results in PCAP_ERR_RFMON_NOTSUP error, i.e. RF monitor mode is not supported.
Context
I'm writing small C program whose job is to listen on my laptop's wifi card in monitor mode. The laptop is running Ubuntu 12.04 LTS. I ran airmon-ng start wlan0 command after which mon0 interface appeared. Following shows output of iwconfig command after running the airmon command:
$ iwconfig
mon0 IEEE 802.11bgn Mode:Monitor Tx-Power=16 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off
eth0 no wireless extensions.
lo no wireless extensions.
wlan0 IEEE 802.11bgn ESSID:"SKY88F48"
Mode:Managed Frequency:2.412 GHz Access Point: 7C:4C:A5:3B:33:59
Bit Rate=52 Mb/s Tx-Power=16 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off
Link Quality=43/70 Signal level=-67 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:4 Invalid misc:415 Missed beacon:0
Question
In my program, I create network handle on device mon0 using pcap_create(). Then I set snapshot length and promiscuous mode successfully.
When I check if rfmon can be set, using pcap_can_set_rfmon() method, it returns positive. Then I set rfmon using pcap_set_rfmon() method which goes through successfully. I also set timeout. Finally when I call pcap_activate() it returns error PCAP_ERR_RFMON_NOTSUP, i.e. RF monitor mode not supported. I'm running my program as root.
One thing to note is that I installed wireshark and started listening on mon0 which successfully captured all the traffic.
You don't need to set rfmon mode on mon0 - it's inherently in monitor mode. Just capture on it; that's what you did with Wireshark.
For various reasons having to do with
libnl having multiple incompatible versions, so choosing the right version with which to build libpcap is, apparently, a pain for distribution builders;
choosing a version different from the one used by an application that uses both libnl and libpcap causing horrible problems due to the aforementioned incompatibilities;
the libpcap rfmon mode code for Linux that works best for most devices, which uses libnl (essentially, it creates a new monN interface, duplicating what airmon-ng does, opens that interface for capturing, and deletes it when the capture is finished), is not enabled in many Linux distributions because libpcap is configured not to use libnl.
Therefore, it doesn't work well on Linux.
Writing code for libpcap to directly use netlink sockets, rather than go through libnl, is on my to-do list, but it is, unfortunately, behind a number of other issues on that list.
If you're trying to set a device in monitor mode using the pcap library in C, you can use the following commands (see pcap manpage):
SYNOPSIS
#include <pcap/pcap.h>
int pcap_can_set_rfmon(pcap_t *p);
DESCRIPTION
pcap_can_set_rfmon() checks whether monitor mode could be set on a capture handle when the handle is activated.
SYNOPSIS
#include <pcap/pcap.h>
int pcap_set_rfmon(pcap_t *p, int rfmon);
DESCRIPTION
pcap_set_rfmon() sets whether monitor mode should be set on a capture handle when the handle is activated. If rfmon is non-zero, monitor mode will be set, otherwise it will not be set.
来源:https://stackoverflow.com/questions/22569164/sniffing-wifi-using-libpcap-in-monitor-mode