Wireless sniffing with wireshark in promiscuous mode and AWUS036H problem

[gusak]

Hi,

I'm trying to capture the packets on my wifi router at home and for some reason i can only see incoming packets for my remote PC, no outgoing packets captured in wireshark(same thing with tcpdump).

My wireless card is Alfa AWUS036H USB adapter with mac80211 driver.

i found this post with the same problem.

My built in Broadcom BCM4312 works in promiscuous mode without any problem

Any help will e much appreciated.

[Archangel-Amael]

I am going to guess either it's a problem with your card. Or your commands.
Post the tcpdump command you used and the output. Pastebin the link here. It may help.

[gusak]

I put my card in monitor mode: airmon-ng start wlan1

And then run tcpdump,

here is the command and output http://pastebin.com/MajPafMp

I'm using open network.

[laptopz]

try the same with mon0

[gusak]

i tried on mon0 also - http://pastebin.com/pPDRc0LH

i think on mon0 i don't get even incoming traffic.

In my first post i tested it on Ubuntu where my built in Broadcom worked very well with wireshark in promiscuous mode

I have installed BT RC2 and now Broadcom has the same behavior only incoming packets more than that it is very not stable i get disconnection all the time

[laptopz]

I believe i misunderstood what you are trying to do...
About not seeing outgoung packets : Correct me if i`m wrong, but when in monitor mode the wireless card stops transmitting data and only "sniffs" the current channel...

Here is some WIreshark-FU

[gusak]

What i'm trying to do is to connect my laptop to my own wifi and sniff the network in promiscuous mode on that AP in order to get traffic from different devices connected to it.

The best results i achieved till now is to get incoming/outgoing traffic from my remote pc but with a lot of packet loss/missing packets. And this is when i disconnect my card from the AP, killing all processes that using the card and running it in monitor mode.

My question is can i sniff the network in promiscuous mode while i'm connected to the same AP.

[TAPE]

Now I may be completely wrong here, but I think you are probably dealing with a similar situation
I was on a while ago.
I was basically just wanting to connect to my own network and see what I could get off the
network activity from the other PCs / Laptops connected to my network.
(I do stress this is my own network)

When it comes down to switches you may have to look into a MiTM in order to get the info you
may be looking for.
So do a bit of reading up on ARP spoofing and Ettercap and see if that is going to lead you in the
right direction.


I did a little write up on my stupidity on not finding that out sooner and perhaps you are looking for something similar ;

http://adaywithtape.blogspot.com/2010/03/network-captures-revisited.html

[gusak]

Hi laptopz,

Thanks for the article. It's very useful.

Actually i'm using the same method of entering my card to monitor mode on specific channel and trying to capture the packets from my second PC.

Unfortunately there are a lot of packet loss(around 50%).

I wonder maybe i miss something or the packet loss in monitor mode is something known. I do not expect for 100% of packets, but 50% is to much and you can't reassemble HTTP session for example.

I really need advice here.

[laptopz]

Your answers are all in there. Read chapters "Range in wireless networks", "Interference and Collisions" and the following "Recommendations.."