Wireshark-users: Re: [Wireshark-users] Promiscuous/Monitor Modes

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 13 Nov 2013 12:35:46 -0800
On Nov 13, 2013, at 9:24 AM, Daniel <neagarudan@xxxxxxxxx> wrote:

> According to the wireshark study guide by Laura Chappell, the wireless adapter can have 4 combinations of monitor/promiscuous mode configurations. I don't get one single configuration: when the monitor mode is enabled, but the promiscuous is disabled. As far as I understood, the host won't be associated with any AP, because it's in the monitor mode. In addition, the adapter won't capture any frames with a destination different than its own MAC address, because it's in the promiscuous mode. This means no traffic will be captured. What's the use of this configuration? Or did I understand something wrong?

You *did* understand something wrong:

	As far as I understood, the host won't be associated with any AP, because it's in the monitor mode.

That isn't necessarily true - some driver/OS/network adapter combinations can remain associated while in monitor mode.  I just tried capturing on the (Broadcom BCM43xx) adapter on my MacBook Pro, running OS X 10.8.5, in monitor+non-promiscuous mode, and it remained associated with our Wi-Fi network, and captured traffic going to my machine from another machine, but didn't capture traffic being sent by my machine, and didn't capture any traffic from that other machine *other* than traffic sent to my machine.

Whether the adapter in question even has a notion of promiscuous mode, and whether turning monitor mode on for the adapter also turns on promiscuous mode, or whether the driver does that, is another matter.  A quick look at the brcm80211 driver in the Linux 3.11 source tree seems to indicate that it might.