Ethereal-users: Re: [Ethereal-users] RE: WLAN cards and Ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 6 Sep 2001 13:09:20 -0700 (PDT)
> According to him they have to write their own drivers for WLAN-cards since
> none of them have promiscous mode capabilities. The have written drivers for
> Cisco Aironet and Symbol, and drivers to Lucent are coming. Maybe it is
> possible to get it separatly, I didn't ask (though I fear they will prefer
> not to enable others to compete with their product).

...and it may not be the case that those drivers support promiscuous
mode using the standard NDIS interface, that interface being what
WinPcap uses.  The Sniffer software might use its own interface to
capture packets.

If so, even those drivers won't help.

> From: maynard [mailto:maynard@xxxxxxxxxxxxxx]
> Sent: 6. september 2001 10:10
> To: trane@xxxxxxxxx
> Subject: re: WLAN cards and Ethereal
> 
> 
> I noticed your post on ethereal-users when I was scanning the archives, I
> have the exact same problem (can only see outgoing traffic using an
> orinoco card and linksys access point). However - I did notice some MAC
> addresses in the capture, and discovered that all the incomming traffic to
> the card was on the LLC protocol. ie my access point is not using tcp to
> talk to the card (kinda freaky)

*ALL* traffic, other than management traffic, on 802.11 networks is on
the LLC protocol - even TCP traffic!

802.2 LLC is a protocol that runs on top of various LAN link layers,
such as 802.3 (i.e., "Ethernet with a length field rather than a type
field", although most protocols run on top of Ethernet rather than
802.3+802.2), 802.5 Token Ring, FDDI, and 802.11.

IP can run on top of 802.2, or on top of 802.2 plus SNAP (Sub-Network
Access Protocol); usually, it runs on 802.2+SNAP, rather than raw 802.2.

TCP runs on top of IP - or IPv6, which also runs on atop of 802.2+SNAP -
so TCP can run on top of LLC.

I.e., just because there's 802.2 LLC traffic, that doesn't mean there's
not TCP traffic.  Ethereal's perfectly capable of recognizing
IP-over-LLC, and IP-over-LLC+SNAP, and IPv4-over-LLC+SNAP, and perfectly
capable of recognizing TCP over IP, so if there's TCP-over-IP-over-LLC
traffic in a capture (*and* if the packets weren't captured with a
snapshot length so short as to cut off the TCP headers; Ethereal
defaults to 65535 as a snapshot length, which is more than enough, but
tcpdump defauls to 68, which isn't enough for the full TCP header),
it'll show you TCP traffic.

What were the protocols running on top of LLC in your capture?