Installation of Wireshark:
$ sudo pacman -S wireshark

If you run wireshark as a non root user at this stage, you will get
the message “No interface can be used for capturing in this system with the current configuration.”. 
The following steps will rectify this.

  1. Create the wireshark group.
    $ sudo groupadd wireshark    # 这一步一般不需要,因为在安装的时候默认创建了这个用户组。

  2. Add your username to the wireshark group
    $ sudo usermod -a -G wireshark YOUR_USER_NAME

  3. Change the group ownership of file dumpcap to wireshark
    $ sudo chgrp wireshark /usr/bin/dumpcap

  4. Change the mode of the file dumpcap to allow execution by the group wireshark
    $ sudo chmod 750 /usr/bin/dumpcap

  5. Grant capabilities with setcap, man capabilities(7), setcap(8), cap_from_text(3) for more info about what are "cap_net_raw", "cap_net_admin" and "eip". Anyway, after we grant the capabilities, the dump can perform various network-related operations, use RAW and PACKET sockets; bind to any address for transparent proxying.
    $ sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

  6. Verify the change
    $ sudo getcap /usr/bin/dumpcap
    Output should be like below:
    $ /usr/bin/dumpcap = cap_net_admin,cap_net_raw=eip

  7. At this point, you will need to log out, then back into manjaro



gksu -u root /usr/bin/wireshark sudo wireshark



调整时间格式:View->Time DIsplay Format



archlinux: iwconfig:extra/wireless_tools airmon-ng:community/aircrack-ng debian系: sudo apt-get install aircrack-ng


  • iwconfig:会被Network Manager改成managed模式
  • airmon-ng:一句命令即可
  • iw:iwconfig的替换

新增了一个虚拟网卡接口 mon0 ,并将 mon0 设置为监听模式。这个命令和上面的 airmon-ng 的效果几乎是一样的,wlan0 仍然保持 managed 模式不变,新增的 mon0 运行在 monitor 模式下。虚拟接口新增之后记得要使用 ifconfig up 启用起来,再通过下面的命令设置频率。

# iw dev wlan0 interface add mon0 type monitor

# ifconfig mon0 up

# iw dev mon0 set freq 2437


# 首先查看下当前无线网卡
# 切换为monitor模式
sudo airmon-ng start wlan0
# 再次查看,切换成功后会生成一个 mon的网卡,wireshark监听该网卡即可(混淆模式)
sudo airmon-ng stop mon0
service NetworkManager restart 


iwconfig wlan0 #首先看下当前网卡的模式,这里为managed模式
sudo ifconfig wlan0 down #先停止wlan0
sudo iwconfig wlan0 mode monitor  #将网卡切为monitor模式
sudo ifconfig wlan0 up #启动wlan0
iwconfig wlan0 #这里可以看到已经切换为monitor模式了,这里就可以使用wireshark抓包了。

sudo ifconfig wlan0 down #先停止
sudo iwconfig wlan0 mode managed #切换
sudo ifconfig wlan0 up #再启动
service NetworkManager restart #如果还是无法上网,可以尝试重启下服务

Wireshark 802.11过滤规则


wlan.da - Destination address (Destination Hardware Address) - Source address (Source Hardware Address)
wlan.addr - Source or Destination address (Source or Destination Hardware Address)
wlan.ra - Recevier address (Receiving Station Hardware Address)
wlan.ta - Transmitter address (Transmitting Hardware Address)
wlan.bssid - BSS id (Basic Service Set ID)
wlan_mgt.ssid - SSID (Indicates the identity of an ESS or IBSS)
wlan.fc.type_subtype - Type/Subtype (Type and subtype combined (first type: type, second type:subtype))
Management framewlan.fc.type == 0
Control framewlan.fc.type == 1
Data framewlan.fc.type == 2
Association requestwlan.fc.type_subtype == 0x00
Association responsewlan.fc.type_subtype == 0x01
Reassociation requestwlan.fc.type_subtype == 0x02
Reassociation responsewlan.fc.type_subtype == 0x03
Probe requestwlan.fc.type_subtype == 0x04
Probe responsewlan.fc.type_subtype == 0x05
Beaconwlan.fc.type_subtype == 0x08
Disassociatewlan.fc.type_subtype == 0x0A
Authenticationwlan.fc.type_subtype == 0x0B
Deauthenticationwlan.fc.type_subtype == 0x0C
Action framewlan.fc.type_subtype == 0x0D
Block ACK requestswlan.fc.type_subtype == 0x18
Block ACKwlan.fc.type_subtype == 0x19
Power save pollwlan.fc.type_subtype == 0x1A
Request to sendwlan.fc.type_subtype == 0x1B
Clear to sendwlan.fc.type_subtype == 0x1C
ACKwlan.fc.type_subtype == 0x1D
Contention free period endwlan.fc.type_subtype == 0x1E
NULL datawlan.fc.type_subtype == 0x24
QoS datawlan.fc.type_subtype == 0x28
Null QoS datawlan.fc.type_subtype == 0x2C

wireshark 802.11 WLAN无线报文分析常用技巧总结: