Results 1 to 4 of 4

Thread: 802.11 promiscuous mode in wireshark capturing inbound but not outbound packets

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    5

    Default 802.11 promiscuous mode in wireshark capturing inbound but not outbound packets

    Ok,

    I had backtrack 3 a while ago on my little Samsung NC10 netbook, but never quite got some things working. I switched to a hard drive install of Fedora 10 with KDE, since I'm very familiar with Fedora and KDE from running some servers.

    I installed the madwifi drivers (ath5k came by default on Fedora), and blacklisted ath5k, and everything is working just fine, except for one problem:

    When I capture on my own wireless network in promiscuous mode, I only see inbound packets (internet to a computer on the LAN), but never see the outbound HTTP GET or POST request. I don't *think* its an issue with filtering... I'm filtering to show ALL HTTP protocol packets.

    Now, if I put the card into monitor mode (no longer associated with my network) and put my WEP (yes, I know... but we have some old hardware that won't work with WPA) key into the protocol section of wireshark and ask it to decrypt the packets, I can see both outbound and inbound traffic.

    Any ideas why I can't see outbound packets in promiscuous mode?

    I'm running Fedora 10 kernel 2.6.27 on a Samsung NC10 (Atheros 5007EG card) with 2GB RAM.

  2. #2

    Default

    Quote Originally Posted by dcnoren View Post
    When I capture on my own wireless network in promiscuous mode, I only see inbound packets (internet to a computer on the LAN), but never see the outbound HTTP GET or POST request. I don't *think* its an issue with filtering... I'm filtering to show ALL HTTP protocol packets.

    Now, if I put the card into monitor mode (no longer associated with my network) and put my WEP (yes, I know... but we have some old hardware that won't work with WPA) key into the protocol section of wireshark and ask it to decrypt the packets, I can see both outbound and inbound traffic.

    Any ideas why I can't see outbound packets in promiscuous mode?

    I'm running Fedora 10 kernel 2.6.27 on a Samsung NC10 (Atheros 5007EG card) with 2GB RAM.
    Is the traffic you are sniffing WEP encrypted to start with? If so, wireshark won't be able to identify specific protocols, just that the packet is of type "data".

    Of course, when you put in the wep key and decode, wireshark can now see the specific protocols.

    If that scenario is not your problem, try moving to a different location and see if you can capture both sides of the conversation. Use an omni directional antenna or reposition your directional antenna (if that is what you are using)

  3. #3
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    5

    Default

    Yes, the traffic is WEP encrypted. Wireshark just won't capture anything with a destination other than a 192.168.x.x IP when I'm monitoring in promiscuous while connected to the network.

    Like I said, it works just fine if I disconnect the network, and bring up a virtual interface in monitor mode. The WEP key in the protocols section decodes the packets, and I can see everything.

    I find it odd I can see everything when disassociated from the network, but when in the network can only see traffic with destination IPs of the LAN.

    One interesting thing is when capturing when associated with a network (capturing on device wlan0) I can only capture in Ethernet link-layer header type. When in monitor mode and disassociated with a network, I can capture in 802.11 mode.

    Maybe I'm missing something obvious...

  4. #4
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    5

    Default

    hmm, one other interesting thing. I have the WEP keys in wireshark. If I boot up and:

    modprobe ath_pci (madwifi isn't automatically inserted into kernel)
    wlanconfig wlan0 destroy
    airmon-ng start wifi0
    ifconfig ath0 up
    wireshark&

    and attempt to capture on ath0, I cannot decrypt any of the packets. However, if I boot up and:

    modprobe ath_pci
    **let wifi connect to the network I'm sniffing**
    wlanconfig wlan0 destroy (this destroys the network I was just on, and want to sniff)
    airmon-ng start wifi0
    ifconfig ath0 up
    wireshark&

    and capture on ath0, I can decrypt everything just fine and dandy.

    Is there something with the wifi driver having to "cache" the WEP key or something??

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •