hey. i'm new here and this question isn't exactly specific to bt4 but I'm hoping there is somebody here who can answer it. I'm trying to sniff the traffic on my wireless network using wireshark. I've done it using both linux(bt4) and windows, but I can never capture anything reliably.
so for example, i'll sniff from my laptop in promiscuous mode and ping google from my desktop. From the laptop I might catch one or two ICMP packets from this transaction, but I don't get anywhere near all of the packets that I know are being transmitted from the desktop. Most of the time i don't get anything except broadcasts and packets addressed to me(the laptop). When I start the capture in wireshark, my logs(dmesg) show that the card enters promiscuous mode, so why am I not capturing what I expect to? I'm like 2 inches from the computer i'm trying to intercept from.
edit: i'm using a usb adapter with a rtl8187L chipset, it uses the rtl8187 driver
Last edited by haithan; 03-17-2010 at 08:00 AM.
I was trying this for a while as well, using wireshark / tcpdump.
My reasoning was that when connected to the network, I should just be able to run
Wireshark or TCPDUMP in promiscuous mode and capture all network traffic.
Didnt work out for me.
In the end I ended up doing a MiTM to get what I wanted which works fine.
So in BT4 ;
>first get connected to your AP.
(assume interface wlan0)
> start up a MiTM session with ettercap ;
(assume APmac 192.168.1.1 and ClientMAC that you are targetting 192.168.1.100)
You could then run wireshark to get a live view of whats going on or otherwiseCode:ettercap -Tq -i wlan0 -M arp:remote /192.168.1.1/ /192.168.1.100/
to get a pcap capture file write one direct from ettercap ;
Code:ettercap -Tq -i wlan0 -M arp:remote /192.168.1.1/ /192.168.1.100/ -w pcapfilename
I'll try it further from the router, but I'm not expecting much. A mitm is an option, but it's not very subtle. The wireshark wiki says this:I find that especially frustrating because I can put my card into monitor mode(in linux), and in order for this protocol to work my card has to be seeing all those frames. All promiscuous mode does is stop the filter for other mac addresses, this happens at the driver level, right?(it seems like it should be easy to implement).In promiscuous mode the MAC address filter mentioned above is disabled and all packets of the currently joined 802.11 network (with a specific SSID and channel) are captured, just as in traditional Ethernet.
This seems to work on Linux and various BSDs, including Mac OS X. On Windows, putting 802.11 adapters into promiscuous mode is usually crippled, see the Windows section below.
Promiscuous mode can be enabled in the Wireshark Capture Options.
Well I would be very interested to hear if you are able to capture all traffic from all clients
(when connected to wireless network) in some way with either tcpdump or wireshark.
I failed miserably when trying to do so, also when trying different adapters.
Keep us updated svp !
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
the desktop is connected to the network via a usb wifi adapter. also, the network is totally unencrypted because my roommates are dumb, lazy, and don't listen to me.
Sorry, had to throw that in there
Adding to what the above have stated. I am thinking you need to start learning the basics of networking. I am not trying to be a pain, or flame you in any way. Just trying to help you out.
uh... what exactly did i say that led you to believe that I don't know the basics of networking?