-2

I am doing wireshark/packet sniffing stuff on the rpi. I am using an Alfa AWUS036H wifi adapter for capturing. On the rpi, over a period of one minute, with my phone streaming youtube, I managed to capture about 200 packets, many of which were just small 801.11 control frames (beacon, etc.) When the same card, connected to my laptop and I run wireshark, I captured almost 10,000 packets in the same timeframe (still streaming youtube). Does anybody have any idea why? Is the rpi's processor simply not fast enough to keep up? Somehow I doubt this.
My setup is like this:

• Raspberry Pi Model B+.
• One Alfa AWUS036H wifi card.
• Manually I set up a monitor interface for this card by doing:
• sudo airmon-ng start wlan0
• Then I use dumpcap to stream capture data from mon0 out to wireshark on my laptop for viewing. This results in about 200 packets/minute.

Channel of My access point and wifi capturing adapter was same. Both set to channel 2. I wanted to test and see if there really were just about 200 packets/minute in the air, so I just unplugged the usb hub from the pi and connected it to my laptop. Same deal, sudo airmon-ng start wlan0 Then capture on mon0 interface in wireshark, I see many more data packets from youtube, and many more control frames, totaling about 5-10,000/minute at peak streaming speed. Does anybody have any explanation for this? I tried to control for all the parameters I could in switching from pi to laptop, but I cannot figure out why this is happening. One more point: sometimes data packets are captured first time I start the device. After that even if I gracefully change state of wifi adapter and start capturing, it do not capture any data packet.

Wee Wei
  • 19
  • 2
user2676044
  • 5
  • 1
  • 3

1 Answers1

0

The RPi's CPU load will affect number of packages received through libpcap, even if the network load itself is very light. See my investigation here. In my case alot of beacon frames were lost, and I offloaded the CPU by booting the RPi in terminal mode (skipping GUI mod) to fix it.

In your case, I would try skipping airmon-ng in order to investigate. Try e.g (if you really want to see managment frame, else skip monitor mode and just sniff wlan0):

ifconfig wlan0 down iw config wlan0 mode monitor if config wlan0 up

And then, sniff manually by either tcpdump -i wlan0 (with any other suitable option) or why not through wireshark on the RPi?.

Community
  • 1
  • 1
niCk cAMel
  • 869
  • 1
  • 10
  • 26
  • Thanks for reply. I am already running in terminal mode. CPU usage is only around 15-20%. I am getting all the beacon frames (no drops there) but none of the data packets are captured. I have tried it without airmon-ng (as you suggested) but results are still the same: No data packets. – user2676044 Jan 26 '16 at 14:01
  • Also did capturing at windows machine and at Raspi at the same time and compared results. No data packets in Raspi captures :( – user2676044 Jan 26 '16 at 14:07
  • [These](http://www.backtrack-linux.org/forums/showthread.php?t=53559) guys seem to have the same issue with the same Alfa AWU. One answer [here](http://unix.stackexchange.com/questions/49945/monitor-mode-wifi-only-seeing-broadcast-packets) has got 3 upvotes, give it a try. Let us know if the trick with airmon-ng that @eVAPor8 suggests works or not. – niCk cAMel Jan 27 '16 at 09:36
  • [Here](https://ask.wireshark.org/questions/5826/cant-check-monitor-mode-checkbox-on-ubuntu?) is another link about setting the channel (even though you mention that they are on the same channel... Channel setting sequence matters – niCk cAMel Jan 27 '16 at 09:48
  • @Krisz , you should ask the OP in his question or mention him – niCk cAMel Mar 30 '20 at 13:31