Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Promiscuous/Monitor Modes

From: Guy Harris <guy () alum mit edu>
Date: Wed, 13 Nov 2013 12:35:46 -0800

On Nov 13, 2013, at 9:24 AM, Daniel <neagarudan () gmail com> wrote:


According to the wireshark study guide by Laura Chappell, the wireless adapter can have 4 combinations of 
monitor/promiscuous mode configurations. I don't get one single configuration: when the monitor mode is enabled, but 
the promiscuous is disabled. As far as I understood, the host won't be associated with any AP, because it's in the 
monitor mode. In addition, the adapter won't capture any frames with a destination different than its own MAC 
address, because it's in the promiscuous mode. This means no traffic will be captured. What's the use of this 
configuration? Or did I understand something wrong?


You *did* understand something wrong:

        As far as I understood, the host won't be associated with any AP, because it's in the monitor mode.

That isn't necessarily true - some driver/OS/network adapter combinations can remain associated while in monitor mode.  
I just tried capturing on the (Broadcom BCM43xx) adapter on my MacBook Pro, running OS X 10.8.5, in 
monitor+non-promiscuous mode, and it remained associated with our Wi-Fi network, and captured traffic going to my 
machine from another machine, but didn't capture traffic being sent by my machine, and didn't capture any traffic from 
that other machine *other* than traffic sent to my machine.

Whether the adapter in question even has a notion of promiscuous mode, and whether turning monitor mode on for the 
adapter also turns on promiscuous mode, or whether the driver does that, is another matter.  A quick look at the 
brcm80211 driver in the Linux 3.11 source tree seems to indicate that it might.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: