Re: 802.11B and libpcap

[Andrew Brown <atatat () atatdot net>]

> what exactly is the different then between 'monitor' mode and
> promiscuous mode? I took a look at AirSnort, and it seems to be using
> raw sockets or something, but for sure not libpcap. Was that decision
> made just out of convenience? Couldn't AirSnort (or at least its
> packet acquisition piece) be re-written to use libpcap? Then it
> should work with other hacked drivers like the Cisco as well.

promiscuous mode passes all network traffic received *and*
successfully decrypted (regardless of the destination hardware address
on the transmitted packet) up to the operating system.  this includes
arp, ip, ipx, or anything else that runs over regular ethernet.

monitor mode passes all 802.11 traffic up to the operating system
*without* trying to decrypt it.  i imagine this includes all regular
"ethernet" traffic, along with 802.11 management frames, etc.

802.11 cards are usually usable when in promiscuous mode, except for
some cards that do not transmit packets when in promiscuous mode.
802.11 cards are almost certainly *not* usable when in monitor mode,
unless your kernel is doing the rc4 decryption.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior () daemon org             * "ah!  i see you have the internet
twofsonet () graffiti com (Andrew Brown)                that goes *ping*!"
andrew () crossbar com       * "information is power -- share the wealth."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/