promiscuous wifi sniffing

[haithan]

hey. i'm new here and this question isn't exactly specific to bt4 but I'm hoping there is somebody here who can answer it. I'm trying to sniff the traffic on my wireless network using wireshark. I've done it using both linux(bt4) and windows, but I can never capture anything reliably.

so for example, i'll sniff from my laptop in promiscuous mode and ping google from my desktop. From the laptop I might catch one or two ICMP packets from this transaction, but I don't get anywhere near all of the packets that I know are being transmitted from the desktop. Most of the time i don't get anything except broadcasts and packets addressed to me(the laptop). When I start the capture in wireshark, my logs(dmesg) show that the card enters promiscuous mode, so why am I not capturing what I expect to? I'm like 2 inches from the computer i'm trying to intercept from.

edit: i'm using a usb adapter with a rtl8187L chipset, it uses the rtl8187 driver

[jimmyd]

I'm like 2 inches from the computer i'm trying to intercept from.

Well, that could be the problem right there. With wireless closer doesn't always mean better. You can overpower the AP leading to corruption or lost packets. Try moving a yard or two away and see if that helps.

[TAPE]

I was trying this for a while as well, using wireshark / tcpdump.

My reasoning was that when connected to the network, I should just be able to run
Wireshark or TCPDUMP in promiscuous mode and capture all network traffic.
Didnt work out for me.

In the end I ended up doing a MiTM to get what I wanted which works fine.

So in BT4 ;
>first get connected to your AP.
(assume interface wlan0)

> start up a MiTM session with ettercap ;
(assume APmac 192.168.1.1 and ClientMAC that you are targetting 192.168.1.100)

Code:

ettercap -Tq -i wlan0 -M arp:remote /192.168.1.1/ /192.168.1.100/

You could then run wireshark to get a live view of whats going on or otherwise
to get a pcap capture file write one direct from ettercap ;

Code:

ettercap -Tq -i wlan0 -M arp:remote /192.168.1.1/ /192.168.1.100/ -w pcapfilename

[haithan]

I'll try it further from the router, but I'm not expecting much. A mitm is an option, but it's not very subtle. The wireshark wiki says this:

In promiscuous mode the MAC address filter mentioned above is disabled and all packets of the currently joined 802.11 network (with a specific SSID and channel) are captured, just as in traditional Ethernet.
This seems to work on Linux and various BSDs, including Mac OS X. On Windows, putting 802.11 adapters into promiscuous mode is usually crippled, see the Windows section below.
Promiscuous mode can be enabled in the Wireshark Capture Options.

I find that especially frustrating because I can put my card into monitor mode(in linux), and in order for this protocol to work my card has to be seeing all those frames. All promiscuous mode does is stop the filter for other mac addresses, this happens at the driver level, right?(it seems like it should be easy to implement).

[TAPE]

Well I would be very interested to hear if you are able to capture all traffic from all clients
(when connected to wireless network) in some way with either tcpdump or wireshark.

I failed miserably when trying to do so, also when trying different adapters.

Keep us updated svp !

[streaker69]

hey. i'm new here and this question isn't exactly specific to bt4 but I'm hoping there is somebody here who can answer it. I'm trying to sniff the traffic on my wireless network using wireshark. I've done it using both linux(bt4) and windows, but I can never capture anything reliably.

so for example, i'll sniff from my laptop in promiscuous mode and ping google from my desktop. From the laptop I might catch one or two ICMP packets from this transaction, but I don't get anywhere near all of the packets that I know are being transmitted from the desktop. Most of the time i don't get anything except broadcasts and packets addressed to me(the laptop). When I start the capture in wireshark, my logs(dmesg) show that the card enters promiscuous mode, so why am I not capturing what I expect to? I'm like 2 inches from the computer i'm trying to intercept from.

edit: i'm using a usb adapter with a rtl8187L chipset, it uses the rtl8187 driver

If your desktop is wired to your router via CAT5, then this behavior is normal. You have a switched network, so you capturing packets via a wireless interface are only going to capture packets bound for your machine, broadcast packets and other packets that are being transmitted via the wireless interface of the router. All other packets will not go out over the wireless, thus is the nature of a switched network.

[haithan]

the desktop is connected to the network via a usb wifi adapter. also, the network is totally unencrypted because my roommates are dumb, lazy, and don't listen to me.

[Barry]

If your desktop is wired to your router via CAT5, then this behavior is normal. You have a switched network, so you capturing packets via a wireless interface are only going to capture packets bound for your machine, broadcast packets and other packets that are being transmitted via the wireless interface of the router. All other packets will not go out over the wireless, thus is the nature of a switched network.

This is also called "Networking 101".

[Ghost40]

the desktop is connected to the network via a usb wifi adapter. also, the network is totally unencrypted because my roommates are dumb, lazy, and don't listen to me.

From what i've read so far, I don't think they have much to worry about...


Sorry, had to throw that in there

Adding to what the above have stated. I am thinking you need to start learning the basics of networking. I am not trying to be a pain, or flame you in any way. Just trying to help you out.

[haithan]

uh... what exactly did i say that led you to believe that I don't know the basics of networking?