tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: libpcap, 802.11 and promiscuous mode

From: Guy Harris <guy () alum mit edu>
Date: Mon, 21 Jun 2004 12:45:51 -0700

On Jun 21, 2004, at 3:39 AM, claudio72 () free fr wrote:


I am working on a project that involves sniffing 802.11 traffic.
I am using an Orinoco-based WLAN card.

I read that libpcap are not suitable as they are to sniff 802.11.
Libpcap 0.7 and later should be able to handle 802.11 on Linux *IF* the Linux driver supports it, and should be able to handle 802.11 on FreeBSD 4.6 or later with Aironet cards (but not Orinoco cards).
Libpcap 0.8 and later should be able to handle 802.11 on Linux if the driver supports it, should be able to handle 802.11 on FreeBSD 4.6 or later with Aironet cards, and, I think, should be able to handle 802.11 on FreeBSD 5.2 or later, and NetBSD 2.0-BETA or later, with Prism II-based cards, Atheros cards, and *possibly* Orinoco-based cards. 

There might also be support on some versions of OpenBSD.


According to what I found out, libpcap  have to be patched to do that


Only older versions do; see above.


but the patch works only if the WLAN card is set in monitor mode.

Is this true?


It might be.  it depends on what 802.11 traffic you want to capture.
Some 802.11 cards (perhaps all of them) might supply only data packets - *NOT* management or control packets - if the card isn't in monitor mode. This is *NOT* something libpcap can do anything about; it's something the driver would have to do something about, *IF* the driver can even do *ANYTHING* about it (if it's a limitation of the card, there isn't even anything the driver can do about it).
I don't know whether that's true of some cards, all cards, or no cards. I suspect that those cards that can run in "host AP" mode can, at least in theory, supply at least some management packets, as the host would need to see those packets in "host AP" mode. I don't, however, know 

        1) whether the Orinoco cards support "host AP" mode;
2) if they do, whether the Linux Orinoco driver or drivers support "host AP" mode, and whether any of the BSD "wi" drivers support "host AP" mode on Orinoco cards (as opposed to Prism II cards - the "wi" drivers handle both Orinoco and Prism II cards on the BSDs);
3) if they do, whether, when you're capturing traffic, they supply management packets to the application;
4) if they do, whether you get *all* management packets received by the card or just some of them;
Is there a way to use libpcap libraries to sniff 802.11 packets keeping the 
wireless card in promiscuous mode?
5) whether they do that in promiscuous mode as well as non-promiscuous mode.
Note also that, to run Orinoco cards in monitor mode, you'd need to patch older versions of the Linux driver: 

        http://airsnort.shmoo.com/orinocoinfo.html
and that some or all of the BSD "wi" drivers might not support monitor mode on Orinoco cards. 

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: