Ethereal-users: Re: [Ethereal-users] Sniffing 801.11 packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 31 Dec 2003 01:34:15 -0800
On Wed, Dec 31, 2003 at 04:57:04PM +0800, Ow Mun Heng wrote:
> Netgear MA401-RA
> hostap_cs drivers

You might want to ask the hostap mailing list about promiscuous mode.

> Also tried with intel pro/wireless 2100 using ndiswrapper

NDIS drivers are not the best ones for wireless sniffing; many people
want to capture 802.11 traffic on their Windows boxes, and many of them
ask the Ethereal mailing list why it's not working - the answer is
probably that the driver doesn't handle promiscuous mode very well (and
doesn't handle monitor mode at all; there's no NDIS API to request
monitor mode, or, for that matter, to ask for packets with 802.11
headers rather than Ethernet headers).

> > > I'm not sure if it's because the AP is acting as a switch or a hub. 
> > > Prior to this, like a month back, I was able to sniff traffic going 
> > > through the AP.
> > 
> > Have you changed either the kernel or the 802.11 card?
> 
> Kernel has been changed.. was using 2.4.22-ac4 back then.. I believe it was 
> using wireless.h version 15
> 
> Now changed to kernel 2.4.23 which I believe is using wireless.h version 16
> 
> iwconfig is compiled using wireless.h version 16

So is the hostap driver part of the kernel, or do you have to download
it separately?  If it's downloaded separately, did you change versions
of the hostap drivers?

You might want to ask the hostap list about this.

> > 
> > Are you capturing in promiscuous mode or monitor mode?
> > 
> 
> Promiscuous mode. 

OK, then it *should* be capturing traffic, if the driver supports
promiscuous mode and the card implements it.

(Can new firmware be uploaded to the card?  If so, did you change the
firmware?)

> If you think it could be a kernel change issue, I will boot back into my old
> kernel and see the effects.

It's worth trying, to see what difference it makes.

> Again, since this is 802.11 traffic, everything's in the air. I should be
> able to 
> sniff it right? The logic's right, right? Otherwise, why would I hear about
> 'secure your APs' and 'warchalking'...

Yes, if the card supports it, and the driver supports it, *and*, as I
understand it, the traffic is being sent on the channel the card is
listening on, you should be able to capture it (I've captured traffic
between our iBook and our access point on FreeBSD 4.6 with an Aironet
card in promiscuous mode, as well as monitor mode).