Wireshark-users: Re: [Wireshark-users] I see no captured packets at all

From: "Hans Nilsson" <hasse_gg@xxxxxxxx>
Date: Tue, 02 Jan 2007 17:27:36 -1100
Ok, actually I've never tried it. There's probably going to be some some
conflicts/collisions that you can't or, hopefully, can overcome.


On Tue, 2 Jan 2007 15:14:14 -0500, "Small, James"
<JSmall@xxxxxxxxxxxxxx> said:
> Hans,
> 
> That's an interesting idea.  I just tried it under XP SP2 (two laptops
> on same AP, same SSID/channel).  However, even after disabling
> gratuitous ARPs, I could not get both laptops to associate to the same
> SSID on the same AP when I set the second monitoring laptop to have the
> same MAC (tried with same IP, different IPs and didn't work).  As soon
> as a second laptop/client associates with the same MAC, the first
> laptop/client would get knocked off.
> 
> Perhaps this has something to do with the underlying 802.11 "management"
> frames and my Cisco AP which I can't see because I have not yet got
> AirPcap.  But it's on my list now!
> 
> I probably just have to spend some time reading through the 802.11 specs
> - I'm sure it's my not understanding enough about how the underlying
> "media-type" works.
> 
> --Jim
> 
> > -----Original Message-----
> > From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-
> > bounces@xxxxxxxxxxxxx] On Behalf Of Hans Nilsson
> >
> > Maybe you could change the MAC-address of the Wireless card (or
> bridge?)
> > to the MAC-address of the gateway in the network? That way your NIC
> will
> > accept all traffic going to and from the gateway (and you because you
> > have the same MAC-address). Because the MAC-adress in those packets is
> > the same as your MAC-address it'll accept the packets. Although there
> > migh be some conflicts, maybe you could also turn off ARP on your
> > computer so it doesn't confuse the rest of the network.
> > 
> > 
> > On Tue, 2 Jan 2007 09:17:29 -0500, "Small, James"
> > <JSmall@xxxxxxxxxxxxxx> said:
> > > Yep--that's it.  Thanks Guy.
> > >
> > > Also, just for the record, I tried capturing under WinPcap under XP,
> SP2
> > > both using the Microsoft Bridge and just using my wireless adapter
> in
> > > non-promiscuous mode (Intel Pro Wireless 2200BG built-in to a Dell
> > > Latitude D610).
> > >
> > > My particular wireless card will only capture if I don't enable
> > > promiscuous mode.  Interestingly enough, if I don't have the
> Microsoft
> > > Bridge installed with the wireless card as a bridge adapter, then I
> > > won't see multicast traffic groups that my host didn't join (in
> other
> > > words I don't see most multicast traffic).  Once I setup the
> Microsoft
> > > Bridge, then I can capture normally (using promiscuous mode) using
> the
> > > bridge and all multicast traffic shows up using either the bridge or
> the
> > > wireless card (although still must capture on wireless card with
> > > promiscuous mode off).
> > >
> > > Note that in any case, I can not see non-broadcast/non-multicast
> traffic
> > > which is not destined to my wireless card.  For this you would need
> the
> > > AirPcap adapter.
> > >
> > > --Jim
> > >
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
-- 
  Hans Nilsson
  hasse_gg@xxxxxxxx

-- 
http://www.fastmail.fm - Accessible with your email software
                          or over the web