Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: promiscuous wifi sniffing

  1. #1
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    5

    Default promiscuous wifi sniffing

    hey. i'm new here and this question isn't exactly specific to bt4 but I'm hoping there is somebody here who can answer it. I'm trying to sniff the traffic on my wireless network using wireshark. I've done it using both linux(bt4) and windows, but I can never capture anything reliably.

    so for example, i'll sniff from my laptop in promiscuous mode and ping google from my desktop. From the laptop I might catch one or two ICMP packets from this transaction, but I don't get anywhere near all of the packets that I know are being transmitted from the desktop. Most of the time i don't get anything except broadcasts and packets addressed to me(the laptop). When I start the capture in wireshark, my logs(dmesg) show that the card enters promiscuous mode, so why am I not capturing what I expect to? I'm like 2 inches from the computer i'm trying to intercept from.

    edit: i'm using a usb adapter with a rtl8187L chipset, it uses the rtl8187 driver
    Last edited by haithan; 03-17-2010 at 08:00 AM.

  2. #2
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    19

    Default Re: promiscuous wifi sniffing

    Quote Originally Posted by haithan View Post
    I'm like 2 inches from the computer i'm trying to intercept from.
    Well, that could be the problem right there. With wireless closer doesn't always mean better. You can overpower the AP leading to corruption or lost packets. Try moving a yard or two away and see if that helps.

  3. #3
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default Re: promiscuous wifi sniffing

    I was trying this for a while as well, using wireshark / tcpdump.

    My reasoning was that when connected to the network, I should just be able to run
    Wireshark or TCPDUMP in promiscuous mode and capture all network traffic.
    Didnt work out for me.

    In the end I ended up doing a MiTM to get what I wanted which works fine.

    So in BT4 ;
    >first get connected to your AP.
    (assume interface wlan0)

    > start up a MiTM session with ettercap ;
    (assume APmac 192.168.1.1 and ClientMAC that you are targetting 192.168.1.100)
    Code:
    ettercap -Tq -i wlan0 -M arp:remote /192.168.1.1/ /192.168.1.100/
    You could then run wireshark to get a live view of whats going on or otherwise
    to get a pcap capture file write one direct from ettercap ;

    Code:
    ettercap -Tq -i wlan0 -M arp:remote /192.168.1.1/ /192.168.1.100/ -w pcapfilename

  4. #4
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    5

    Default Re: promiscuous wifi sniffing

    I'll try it further from the router, but I'm not expecting much. A mitm is an option, but it's not very subtle. The wireshark wiki says this:
    In promiscuous mode the MAC address filter mentioned above is disabled and all packets of the currently joined 802.11 network (with a specific SSID and channel) are captured, just as in traditional Ethernet.
    This seems to work on Linux and various BSDs, including Mac OS X. On Windows, putting 802.11 adapters into promiscuous mode is usually crippled, see the Windows section below.
    Promiscuous mode can be enabled in the Wireshark Capture Options.
    I find that especially frustrating because I can put my card into monitor mode(in linux), and in order for this protocol to work my card has to be seeing all those frames. All promiscuous mode does is stop the filter for other mac addresses, this happens at the driver level, right?(it seems like it should be easy to implement).

  5. #5
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default Re: promiscuous wifi sniffing

    Well I would be very interested to hear if you are able to capture all traffic from all clients
    (when connected to wireless network) in some way with either tcpdump or wireshark.

    I failed miserably when trying to do so, also when trying different adapters.

    Keep us updated svp !

  6. #6
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default Re: promiscuous wifi sniffing

    Quote Originally Posted by haithan View Post
    hey. i'm new here and this question isn't exactly specific to bt4 but I'm hoping there is somebody here who can answer it. I'm trying to sniff the traffic on my wireless network using wireshark. I've done it using both linux(bt4) and windows, but I can never capture anything reliably.

    so for example, i'll sniff from my laptop in promiscuous mode and ping google from my desktop. From the laptop I might catch one or two ICMP packets from this transaction, but I don't get anywhere near all of the packets that I know are being transmitted from the desktop. Most of the time i don't get anything except broadcasts and packets addressed to me(the laptop). When I start the capture in wireshark, my logs(dmesg) show that the card enters promiscuous mode, so why am I not capturing what I expect to? I'm like 2 inches from the computer i'm trying to intercept from.

    edit: i'm using a usb adapter with a rtl8187L chipset, it uses the rtl8187 driver
    If your desktop is wired to your router via CAT5, then this behavior is normal. You have a switched network, so you capturing packets via a wireless interface are only going to capture packets bound for your machine, broadcast packets and other packets that are being transmitted via the wireless interface of the router. All other packets will not go out over the wireless, thus is the nature of a switched network.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #7
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    5

    Default Re: promiscuous wifi sniffing

    the desktop is connected to the network via a usb wifi adapter. also, the network is totally unencrypted because my roommates are dumb, lazy, and don't listen to me.

  8. #8
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default Re: promiscuous wifi sniffing

    Quote Originally Posted by streaker69 View Post
    If your desktop is wired to your router via CAT5, then this behavior is normal. You have a switched network, so you capturing packets via a wireless interface are only going to capture packets bound for your machine, broadcast packets and other packets that are being transmitted via the wireless interface of the router. All other packets will not go out over the wireless, thus is the nature of a switched network.
    This is also called "Networking 101".

  9. #9
    Member
    Join Date
    Feb 2010
    Location
    Root
    Posts
    121

    Default Re: promiscuous wifi sniffing

    Quote Originally Posted by haithan View Post
    the desktop is connected to the network via a usb wifi adapter. also, the network is totally unencrypted because my roommates are dumb, lazy, and don't listen to me.
    From what i've read so far, I don't think they have much to worry about...


    Sorry, had to throw that in there

    Adding to what the above have stated. I am thinking you need to start learning the basics of networking. I am not trying to be a pain, or flame you in any way. Just trying to help you out.

  10. #10
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    5

    Default Re: promiscuous wifi sniffing

    uh... what exactly did i say that led you to believe that I don't know the basics of networking?

Page 1 of 2 12 LastLast

Similar Threads

  1. Sickness - Password Sniffing with SSLStrip.
    By sickness in forum BackTrack Videos
    Replies: 35
    Last Post: 09-17-2010, 01:16 PM
  2. ARP Poisoning 101 (Not sniffing info...)
    By Whiskey in forum Beginners Forum
    Replies: 12
    Last Post: 07-15-2010, 02:12 AM
  3. Sickness - Password Sniffing Reloaded.
    By sickness in forum BackTrack Videos
    Replies: 8
    Last Post: 02-06-2010, 01:12 PM
  4. sniffing SSL using ettercap but without false certificate
    By sieger007 in forum Beginners Forum
    Replies: 1
    Last Post: 01-19-2010, 12:39 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •