RE: 802.11B and libpcap

[Anton Rager <a_rager () yahoo com>]

Frank,

Monitor mode allows raw capture of 802.11 frames. 
This includes beacons, probes, and additional wireless
headers.

Promiscuous mode captures ethernet frames within the
802.11 fame, but skips the 802.11 headers.

Another difference is that standard pmode allows the
card to still RX and TX while capturing -- but monitor
mode should put the wireless card in RX only mode.

There are two ways to read these frames from monitor
mode:

1 - With prism based cards and linux-wlan, prismdump
can be used to capture the 802.11 frames.  Ethereal
can then be used to decode the frames into a readable
format. [This is what the current public WEPCrack
uses]
2 - Libpcap can be patched to retrieve the 802.11 info
directly.  [This is what Airsnort uses, as well as the
next release of WEPCrack].  linux-wlan-ng can be
patched to do this, and the Cisco linux drivers also
have this capability.  There is a difference between
the Cisco and Wlan libpcap data because both cards add
an additional vendor header to the 802.11 frame.

I currently have code that works with prismdump,
linux-wlan libpcap, and Cisco aironet libcap that I
will be releasing to our site soon.  Supposedly it is
possible to configure Symbol based cards [Symbol,
Nortel, Intel, 3Com] for monitor mode as well, but I
have not been able to find drivers that can do this
yet.

Anton Rager

WEPCrack author
wepcrack.sourceforge.net

--- Frank Knobbe <FKnobbe () KnobbeITS com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > -----Original Message-----
> > From: Robert van der Meulen
> [mailto:rvdm () cistron nl]
> > Sent: Sunday, September 16, 2001 8:33 AM
> >
> > Quoting Ronny Vaningh (ronny.vaningh () be uu net):
> > > Also, what is so special in the PRISMII cards
> that airsnort 
> > only works
> > > with them, and can you recommend any card in
> particular.
> > The only thing i could make out from the driver
> sources of 
> > the prismII and
> > the hermes-based cards, is that the 'MONITOR' mode
> currently 
> > only works in
> > the prismII driver; you need 'MONITOR' mode for
> stuff like this.
>
>
> Robert,
>
> what exactly is the different then between 'monitor'
> mode and
> promiscuous mode? I took a look at AirSnort, and it
> seems to be using
> raw sockets or something, but for sure not libpcap.
> Was that decision
> made just out of convenience? Couldn't AirSnort (or
> at least its
> packet acquisition piece) be re-written to use
> libpcap? Then it
> should work with other hacked drivers like the Cisco
> as well.
>
> Regards,
> Frank
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: PGP or S/MIME (X.509) encrypted email
> preferred.
iQA/AwUBO6YId5ytSsEygtEFEQJx8wCgnSWHaZ4sL0e66XsyaqZDoq8VgvgAoLzJ
> VgjqfvEUSm4ha36Cfy7IbvJb
> =j0h0
> -----END PGP SIGNATURE-----
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA
> service which
> automatically alerts you to the latest security
> vulnerabilities please see:
> https://alerts.securityfocus.com/


__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/