WiFi Sniffing, what sees what, and why do I only see broadcasts in Promiscuous mode

[don_berry at comcast.net (Don Berry)]

802.11b devices CANNOT decode 802.11g frames since they use different RF
modulation. DSSS vs. OFDM 

 

802.11b devices see 802.11g frames as noise. The backward compatibility is
accomplished by having 802.11g devices send a NULL frame with the duration
field set to the length of time that the current frame will take, the SIF
time (Short Inter Frame spacing) and the time that the 802.11g frame will
take. This way no 802.11b device will even attempt to access the media (RF)
until after the duration timer has expired.

 

Joshua Wrote..

 

> 1. What does a 802.11b sniffer on a 802.11g network see when in Monitor

> mode?

 

An 802.11b card in monitor mode will see all traffic sent with DSSS

encoding including all management frames and data frames sent at rates

of 11 Mbps or lower.

 

> 2. What does a 802.11b sniffer on a 802.11g network see when in

> Promiscuous mode?

 

This is highly dependent on the driver implementation.  It is not a

hardware issue; the driver could be written to pass almost all frames to

the OS in promisc mode.  It's all about the software here.

 

 

These statements are somewhat incorrect as it is a hardware issue, not
software. b cards will decode frames received in DSSS, but not frames in
OFDM.

 

 

-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Joshua Wright
Sent: Tuesday, November 11, 2008 9:07 AM
To: pauldotcom at mail.pauldotcom.com
Subject: Re: [Pauldotcom] WiFi Sniffing, what sees what, and why do I only
see broadcasts in Promiscuous mode

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

> I seem to remember back in the day being able to sniff with a 802.11b

> card in Promiscuous on an open network and being able to see everything

> (except management frames of course). On an 802.11g network with an 11g

> card I would only see some of the traffic not destined for me. On

> 802.11n I only see my traffic and broadcast (unless of course I ARP

> poison). Why is this? Is it because g and n talk on more channels that

> the sniffing card may not see at the time?

 

Unfortunately, this is all due to artificial restrictions implemented by

the driver vendor and nothing more.  Some drivers will allow you to see

all frames when the interface is placed in promisc mode, others will

return no packets (even those meant for your station), others will only

show you traffic for your station or broadcast/multicast.

 

> 1. What does a 802.11b sniffer on a 802.11g network see when in Monitor

> mode?

 

An 802.11b card in monitor mode will see all traffic sent with DSSS

encoding including all management frames and data frames sent at rates

of 11 Mbps or lower.

 

> 2. What does a 802.11b sniffer on a 802.11g network see when in

> Promiscuous mode?

 

This is highly dependent on the driver implementation.  It is not a

hardware issue; the driver could be written to pass almost all frames to

the OS in promisc mode.  It's all about the software here.

 

> 3. What does a 802.11g sniffer on a 802.11b network see when in Monitor

> mode?

 

An 802.11g sniffer in monitor mode will see all traffic from 802.11b

networks.

 

> 4. What does a 802.11g sniffer on a 802.11b network see when in

> Promiscuous mode?

 

Again, software issue.  I'm sorry this answer sucks. ;(

 

> Repeat all of the above questions for 802.11n as well.

 

802.11n gets more complicated.  802.11n includes support for both 2.4

GHz and 5 GHz, but let's focus just on 2.4 GHz for the moment.

 

An 802.11g monitor mode adapter sniffing an 802.11n network will see

lots of data, but will not see any frames transmitted in High-Throughput

 (HT) mode, 40-MHz mode or Green Field Mode (GF).  If you want to sniff

an 802.11n network, you need an 802.11n card capable of monitor mode

sniffing (such as the CACE AirPcap 802.11n card,

http://www.cacetech.com/products/airpcap-n.htm).

 

> I plan to do some systematic tests soon and post results, but my

> hardware is limited and as I stated before, lack of support with some

> chipsets does complicate maters. As best as I can tell so far these may

> be the answers:

>

> 1. Just 802.11 management traffic (beacons and such) and broadcast
traffic.

> 2. Just broadcast traffic.

> 3. Everything.

> 4. Everything but 802.11 management traffic (beacons and such).

 

These findings are helpful, but are indicative for only your selected

hardware and driver combinations (and then, different versions of

drivers may behave differently WRT promisc mode).

 

Hope this helps. :)

 

- -Josh

 

p.s. Catch me on the podcast on 1/20!

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (MingW32)

 

iEYEARECAAYFAkkZu70ACgkQapC4Te3oxYzRcQCfRAQc80ZJSxedcBHauMYpwhvz

NXoAnjVprOfSXfbR2/rVNWgG3IBuVw7b

=cZfT

-----END PGP SIGNATURE-----

_______________________________________________

Pauldotcom mailing list

Pauldotcom at mail.pauldotcom.com

http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom

Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081111/284bd636/attachment.htm