Promiscuous mode capturing
Results 1 to 7 of 7

Thread: Promiscuous mode capturing

  1. #1
    Member
    Join Date
    Dec 2003
    Posts
    41

    Promiscuous mode capturing

    Hi, I have dell true mobile 1180 wireless card. I noticed when using wpcap with windump or ethereal, I don't always get other people's packets on from our wireless acces point.
    I am using XP. Newer dell laptops(like latitude D800 with dual band dell wireless 1450) have 3rd party network conversations readily available when packets are captured on a wireless network(their wireless network card captures everything like they are wired on a hub or on a switch with mirrored port).
    Has anyone else noticed the same with older wireless cards, and has anyone found a solution to this?

    Thanks

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    Im having the same problem, Im working on fixing it as we speak and will try and update if/when I figure it out. In the mean time if you find a fix, let me know.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  3. #3
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    The trouble here is standards? In promiscuous mode on a wireless network you will drop packets because only Ethernet frames 802.3 are captured not 802.11. That is one issue that can be overcome with RFMON. Another issue is Channel hopping, depending on your 802.11x technology.

    I'll dig up some references.

    //EDIT This doesn't say what I said "exactly" but here is one link:

    Ethereal

    Q 5.37: How can I capture raw 802.11 packets, including non-data (management, beacon) packets?

    A: That depends on the operating system on which you're running, and on the 802.11 interface on which you're capturing.

    This would probably require that you capture in promiscuous mode or in the mode called "monitor mode" or "RFMON mode". On some platforms, or with some cards, this might require that you capture in monitor mode - promiscuous mode might not be sufficient. If you want to capture traffic on networks other than the one with which you're associated, you will have to capture in monitor mode.

    Not all operating systems support capturing non-data packets and, even on operating systems that do support it, not all drivers, and thus not all interfaces, support it. Even on those that do, monitor mode might not be supported by the operating system or by the drivers for all interfaces.

    NOTE: an interface running in monitor mode will, on most if not all platforms, not be able to act as a regular network interface; putting it into monitor mode will, in effect, take your machine off of whatever network it's on as long as the interface is in monitor mode, allowing it only to passively capture packets.

    This means that you should disable name resolution when capturing in monitor mode; otherwise, when Ethereal (or Tethereal, or tcpdump) tries to display IP addresses as host names, it will probably block for a long time trying to resolve the name because it will not be able to communicate with any DNS or NIS servers.

    There are FAQ items below with information on capturing in monitor mode on Linux, FreeBSD, and NetBSD.

    On Windows, you will not be able to capture in monitor mode on any interfaces, and you might not be able to capture in promiscuous mode, either. You might have some success in promiscuous mode with Centrino interfaces, although you will need Ethereal 0.10.6 or later in order to have the non-data packets recognized and properly dissected.

    You will not be able to capture in monitor mode on any other platforms (including Mac OS X). You might be able to capture in promiscuous mode, but this won't capture non-data packets.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  4. #4
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I use Kismet and open up the dump files in Ettercap or Ettereal. That way you get traffic on multiple SSIDs and from different boxes. Can't use if from Windows though since you dont have RFMON mode, but you can boot from Knoppix and use it if your chipset is supported.

  5. #5
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    I solved the problem by using a different set of drivers than the dell ones.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  6. #6
    Member
    Join Date
    Dec 2003
    Posts
    41
    XTC46, could you elaborate a bit on the drivers?

    RoadClosed, how is it a channel hopping issue? Also if its the 802.3 issue, why then I am able to capture the 3rd party communication on the same wireless network using some of the later dell laptops?

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Some drivers make the jump to 802.3. and support monitor mode. Thats why sometimes it works, sometimes it doesn't. Even with linux; driver support is critical. I didn't mean it was a channel hopping issue point blank, but that could be related. As in making an educated assumption. For example if they are using some of the speed burst technologies out there, some cards will be on multiple channels where you are only on 1. You couldn't possibly see all data while hanging on a wireless card, unless connected to a hard-wire input. And then only if it was directed at port and not another wireless device.

    //EDIT FYI, 802.3 is Ethernet where the infamouse Carrier Sense Multiple Access comes in. Some drivers and OS's just don't pass all the packets.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •