Wireshark-users: Re: [Wireshark-users] Promiscuous mode on MacBook Pro

From: Daniel Briley <daniel.briley@xxxxxxxxxxxxx>
Date: Thu, 7 Jan 2010 19:42:11 +0000
Thanks for the replies. I've already read and aware of the content in the links you've provided. I understand the difference between prom/monitor mode and I've also followed the guide relating to MacOS specifically. My question still stands - Is anyone able to shed some light on why promiscuous mode might not work in my situation?

Many thanks

Daniel

On 6 Jan 2010, at 20:58, Daniel Briley wrote:

> Hi
> 
> I'm attempting to use Wireshark to monitor WiFi traffic between my mobile phone and my local WiFi network. I'm using a MacBook Pro with OS 10.6.2 installed. I have Wireshark 1.2.5 (SVN Rev 31296). It's the MacOS package from the Wireshark site. I've installed the Chmod script which gives me access to /dev/bpf*. I'm assuming this is working correctly as I'm able to capture from the WiFi no problem. The issue I'm encountering is when I try and use promiscuous mode to monitor WiFi traffic from my mobile phone. Entering promiscuous mode in Wireshark seems to make no difference. I still only see broadcast, mulitcast and unicast traffic to and from my laptop. No other traffic is visible. Using the ifconfig terminal command I can confirm that the interface has the PROMISC flag added to it while Wireshark is capturing, so I was expecting it to work. Monitor mode also seems to work, but I only get low level 802.11 traffic from various SSIDs around me. I'm using the laptop's internal Airport Express card, which is actually an Atheros AR5008 chip as far as I can tell.
> 
> I've read all the Wireshark docs that I can find on the subject, which has got me this far. Can anyone help me out? Is it a case of everything reporting correctly but the drivers aren't actually honouring promiscuous mode? It seems odd that monitor mode would work well but promisc support would be broken. Any ideas?
> 
> Many thanks
> 
> Daniel