WiFi Sniffing, what sees what, and why do I only see broadcasts in Promiscuous mode

[paul at pauldotcom.com (Paul Asadoorian)]

Thanks Josh! Wireless drivers are like a box of chocolates, they all
suck because I hate chocolate :)

We've got a Wiki page on Recommended WiFi cards here:

http://pauldotcom.com/wiki/index.php/Recommended_WiFi_Cards

If you would like to help us update this list and would like a wiki
account, please send email to psw at pauldotcom.com and request it.  Maybe
we can even add a section for wireless drivers as well.

Oh, and do check out Josh in episode 129, Part II discussing the latest
TKIP attacks:

http://pauldotcom.com/2008/11/pauldotcom-security-weekly-epi-177.html

I took the photo on the blog post/album art at our favorite Sushi
restaurant :)

Cheers,

Paul

Joshua Wright wrote:
> > I seem to remember back in the day being able to sniff with a 802.11b
> > card in Promiscuous on an open network and being able to see everything
> > (except management frames of course). On an 802.11g network with an 11g
> > card I would only see some of the traffic not destined for me. On
> > 802.11n I only see my traffic and broadcast (unless of course I ARP
> > poison). Why is this? Is it because g and n talk on more channels that
> > the sniffing card may not see at the time?
>
> Unfortunately, this is all due to artificial restrictions implemented by
> the driver vendor and nothing more.  Some drivers will allow you to see
> all frames when the interface is placed in promisc mode, others will
> return no packets (even those meant for your station), others will only
> show you traffic for your station or broadcast/multicast.
>
> > 1. What does a 802.11b sniffer on a 802.11g network see when in Monitor
> > mode?
>
> An 802.11b card in monitor mode will see all traffic sent with DSSS
> encoding including all management frames and data frames sent at rates
> of 11 Mbps or lower.
>
> > 2. What does a 802.11b sniffer on a 802.11g network see when in
> > Promiscuous mode?
>
> This is highly dependent on the driver implementation.  It is not a
> hardware issue; the driver could be written to pass almost all frames to
> the OS in promisc mode.  It's all about the software here.
>
> > 3. What does a 802.11g sniffer on a 802.11b network see when in Monitor
> > mode?
>
> An 802.11g sniffer in monitor mode will see all traffic from 802.11b
> networks.
>
> > 4. What does a 802.11g sniffer on a 802.11b network see when in
> > Promiscuous mode?
>
> Again, software issue.  I'm sorry this answer sucks. ;(
>
> > Repeat all of the above questions for 802.11n as well.
>
> 802.11n gets more complicated.  802.11n includes support for both 2.4
> GHz and 5 GHz, but let's focus just on 2.4 GHz for the moment.
>
> An 802.11g monitor mode adapter sniffing an 802.11n network will see
> lots of data, but will not see any frames transmitted in High-Throughput
>  (HT) mode, 40-MHz mode or Green Field Mode (GF).  If you want to sniff
> an 802.11n network, you need an 802.11n card capable of monitor mode
> sniffing (such as the CACE AirPcap 802.11n card,
> http://www.cacetech.com/products/airpcap-n.htm).
>
> > I plan to do some systematic tests soon and post results, but my
> > hardware is limited and as I stated before, lack of support with some
> > chipsets does complicate maters. As best as I can tell so far these may
> > be the answers:
>
> > 1. Just 802.11 management traffic (beacons and such) and broadcast traffic.
> > 2. Just broadcast traffic.
> > 3. Everything.
> > 4. Everything but 802.11 management traffic (beacons and such).
>
> These findings are helpful, but are indicative for only your selected
> hardware and driver combinations (and then, different versions of
> drivers may behave differently WRT promisc mode).
>
> Hope this helps. :)
>
> -Josh
>
> p.s. Catch me on the podcast on 1/20!
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081111/750975af/attachment.pgp