On Thu, 6 Sep 2001, Guy Harris wrote:
> > According to him they have to write their own drivers for WLAN-cards since
> > none of them have promiscous mode capabilities. The have written drivers for
> > Cisco Aironet and Symbol, and drivers to Lucent are coming. Maybe it is
> > possible to get it separatly, I didn't ask (though I fear they will prefer
> > not to enable others to compete with their product).
>
> ...and it may not be the case that those drivers support promiscuous
> mode using the standard NDIS interface, that interface being what
> WinPcap uses. The Sniffer software might use its own interface to
> capture packets.
>
> If so, even those drivers won't help.
>
> > From: maynard [mailto:maynard@xxxxxxxxxxxxxx]
> > Sent: 6. september 2001 10:10
> > To: trane@xxxxxxxxx
> > Subject: re: WLAN cards and Ethereal
> >
> >
> > I noticed your post on ethereal-users when I was scanning the archives, I
> > have the exact same problem (can only see outgoing traffic using an
> > orinoco card and linksys access point). However - I did notice some MAC
> > addresses in the capture, and discovered that all the incomming traffic to
> > the card was on the LLC protocol. ie my access point is not using tcp to
> > talk to the card (kinda freaky)
>
> *ALL* traffic, other than management traffic, on 802.11 networks is on
> the LLC protocol - even TCP traffic!
>
> 802.2 LLC is a protocol that runs on top of various LAN link layers,
> such as 802.3 (i.e., "Ethernet with a length field rather than a type
> field", although most protocols run on top of Ethernet rather than
> 802.3+802.2), 802.5 Token Ring, FDDI, and 802.11.
>
> IP can run on top of 802.2, or on top of 802.2 plus SNAP (Sub-Network
> Access Protocol); usually, it runs on 802.2+SNAP, rather than raw 802.2.
>
> TCP runs on top of IP - or IPv6, which also runs on atop of 802.2+SNAP -
> so TCP can run on top of LLC.
>
> I.e., just because there's 802.2 LLC traffic, that doesn't mean there's
> not TCP traffic. Ethereal's perfectly capable of recognizing
> IP-over-LLC, and IP-over-LLC+SNAP, and IPv4-over-LLC+SNAP, and perfectly
> capable of recognizing TCP over IP, so if there's TCP-over-IP-over-LLC
> traffic in a capture (*and* if the packets weren't captured with a
> snapshot length so short as to cut off the TCP headers; Ethereal
> defaults to 65535 as a snapshot length, which is more than enough, but
> tcpdump defauls to 68, which isn't enough for the full TCP header),
> it'll show you TCP traffic.
>
> What were the protocols running on top of LLC in your capture?
>
Thats the thing - there were not any protocols on top of LLC (for
incomming) that i could see in the capture (using the ethereal default
length) - thats why I thought it was odd. And for the outgoing packets the
capture does not show an LLC layer under the TCP etc...
here is an example outgoing capture
source dest
168.192.1.100 213.189.207.68
Frame 10
Ethernet II
IP
TCP
and an example incomming cature
source dest
00:04:5a:ce:3a:99 00:02:2d:2c:f7:24
Frame 11
IEEE 802.3 Ethernet
Logical-Link Control
Data
thats why i was confused...
Also - I hear that the 4.x firmware/drivers for orinoco (wavelan) support
promiscuous mode, but i hesitate to install them, mostly because Net
Stumbler claims it does not work with exactly those drivers - so i have to
choose - do i want to use net stumbler or ethereal....
JDM