Wireshark-users: Re: [Wireshark-users] Wireless recommendation

From: Andreas Fink <afink@xxxxxxx>
Date: Wed, 21 Mar 2007 09:15:57 +0100

On 21.03.2007, at 06:03, David Schweinsberg wrote:


On 20/03/2007, at 9:34 PM, Andreas Fink wrote:

the traffic showing is opening the device in promiscious mode which  
still has the same problem as it can not count on wlt1 while en1 is  
connected.

Sorry Andreas, are you saying that the Airport Extreme still has the  
problem that it can't enter promiscuous mode?  Certainly that would  
explain the problem I'm seeing.

Regards,

David


The airport card in the Intel MacBooks and Intel iMacs is being driven by the Apple closed source driver.
This driver is done in a way that when you go into promiscuous mode (you open the wlt1 device to be precise), your en1 device which is connecting your computer with this interface is being disconnected. in other words, you can listen PASSIVELY but not be active on the wireless lan at the same time.

If you listen ACTIVELY (your own traffic going to the wireless lan) you can listen on the en1 device instead of the wlt1 device. In that case you see ethernet frames, not 802.11a/b/g/n frames. The problem in wireshark was that it was always scanning through the device list to show traffic on the various devices. So once it hit wlt1, en1 got disconnected. So that interface had to be skipped. This has been incorporated in libpcap's cvs version which I bundled with that installer.

Its a limit introduced by Apple or by the hardware itself (Apple has not said anything officially about the problem yet).

Capturing your own traffic in active mode or listening passively should however be sufficient in 99% of the cases.



Andreas Fink

Fink Consulting GmbH
Global Networks Schweiz AG
BebbiCell AG

---------------------------------------------------------------
Tel: +41-61-6666330 Fax: +41-61-6666331  Mobile: +41-79-2457333
Address: Clarastrasse 3, 4058 Basel, Switzerland
www.finkconsulting.com www.global-networks.ch www.bebbicell.ch
---------------------------------------------------------------
ICQ: 8239353 MSN: msn1@xxxxxx AIM: smsrelay Skype: andreasfink
Yahoo: finkconsulting SMS: +41792457333