Results 1 to 5 of 5

Thread: Only broadcast packets seen in monitor mode

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Oct 2012
    Posts
    1

    Default Only broadcast packets seen in monitor mode

    Hi all,

    I'm posting this in the experts section because I have pretty much exhausted every link I have found on google regarding this topic, and I'd like some of the most experienced eyes on the problem, because something obscure must be going on.

    Systems tested on
    VirtualBox 4.1.22 VM: Ubuntu 12.10 x64
    VirtualBox 4.1.22 VM: Ubuntu 10.04 x64
    VirtualBox 4.1.22 VM: Backtrack 5 r2
    VirtualBox 4.1.22 VM: Backtrack 5 r3
    Lenovo W530 laptop running Backtrack 5 r2

    Interface
    Alfa AWUS036H - FCC ID UQ2AWUS036H (you can verify RTL8187L chipset at http://transition.fcc.gov/oet/ea/fccid/ Enter grantee code: UQ2, product code: AWUS036H, then clicking "detail" and then "internal photos").

    Problem description
    The problem is that while I'm running wlan0 in monitor mode, I only see broadcast packets (I see ARPs, DHCP transactions, beacons, and other random management and data packets that are being broadcast or multicast). This is the case in kismet, wireshark 1.2.x, 1.4.x, and 1.8.x, and my own packet reader program that uses libpcap. The clients that I have set up running pings and http traffic are connected to an open wireless g network. The computer I am sniffing from is not connected to any network.

    Procedure
    I have tested more configurations than I can list, but I'll try to give a good idea of what I've done.

    The USB wireless card I listed (Alfa AWUS036H) is using the rtl8187 driver. Relevant commands and their outputs are listed below:

    Code:
    # lsusb
    Bus 001 Device 009: ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
    Bus 001 Device 007: ID 80ee:0021  
    Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
    Code:
    # lsmod|grep 80211
    mac80211              238928  1 rtl8187
    cfg80211              148725  2 rtl8187,mac80211
    I've made sure the wireless card is on channel 6, the same channel my open network is on. I have tried both putting wlan0 into monitor mode manually using:

    Code:
    # ifconfig wlan0 down
    # iwconfig wlan0 mode monitor
    # iwconfig wlan0 channel 6
    # ifconfig wlan0 up
    And also using airmon-ng to create a mon0 device:

    Code:
    # airmon-ng start wlan0 6
    Interface	Chipset		Driver
    
    wlan0		RTL8187 	rtl8187 - [phy5]
    				(monitor mode enabled on mon0)
    When using iwconfig, I can verify wlan0 is in monitor mode:

    Code:
    wlan0     IEEE 802.11bg  Mode:Monitor  Frequency:2.437 GHz  Tx-Power=27 dBm   
              Retry  long limit:7   RTS thr:off   Fragment thr:off
              Power Management:off
    When I use iwconfig to put the card into monitor mode manually, I use the interface wlan0 in wireshark and kismet. When using airmon-ng to create a mon0 interface that is in monitor mode, I use mon0.

    In both cases, I get the same result: kismet and wireshark will see all the broadcast packets from the APs around me, but never any ICMP or HTTP traffic I'm creating from other clients in order to test.

    I am not associated or authenticated to any AP. I did this a few months ago at a workshop and it worked great; we saw tons of HTTP traffic flying around.

    For most of the same type of questions asked here, the problem had to do with them being associated to a network or that they were on an encrypted network and weren't entering the key properly. I cannot find any issue with the setup or the device. Any ideas? Thanks for any help.

  2. #2
    Just burned their ISO
    Join Date
    Nov 2012
    Posts
    3

    Default Re: Only broadcast packets seen in monitor mode

    I'm using an Alfa network AWUS036H adapter and have the exact same problem.

    I can only see 802.11 management and control packets but no actual data, that I know I should see
    since I'm pinging the router constantly with another computer in my network...

  3. #3
    Just burned their ISO
    Join Date
    Dec 2012
    Posts
    2

    Default Re: Only broadcast packets seen in monitor mode

    Yep,

    Same issue. Tested on a BT5r2 VM and on Ubuntu 12.04.

    I, too, scoured the forums looking for suggestions. There's a lot of chatter about this hardware, of course, but none of it seems related to failed packet capture after having "successfully" entered monitor mode. And all of the talk about patching the rtl8187 driver seems out-of-date. That said...if people _are_ patching their drivers (on recent BT5 or Ubuntu machines), I'd love to know about it.

    (Thanks to fortenbt, by the way, for laying out the due diligence, here: yes, it's legitimate hardware; yes, it's using the right driver; yes, we're in monitor mode; etc..)

    Also, the same procedure works quite well for a different (Ubiquiti SR71 ExpressCard with an Atheros AR9280 chipset via ath9k) wifi adapter. I was hoping to cut down on dropped packets with a "better supported" card, but...it's not working out that way.

    -poser

  4. #4
    Just burned their ISO
    Join Date
    Dec 2012
    Posts
    3

    Default Re: Only broadcast packets seen in monitor mode

    Has anyone managed to find a solution to this yet? I have exactly the same problem using Alfa AWUS036H with Backtrack 5 R3.

  5. #5
    Just burned their ISO
    Join Date
    Dec 2012
    Posts
    3

    Default Re: Only broadcast packets seen in monitor mode

    Having not found a solution to this problem i tried my internal Atheros AR9485 card and it works perfectly without installing any drivers and it supports injection as well.

    Obviously i am not doing anything wrong as that one works fine so could it be an issue with some AWUS036H adapters as quite a few people have this problem?

Similar Threads

  1. Replies: 0
    Last Post: 10-14-2010, 12:06 PM
  2. Alfa 500mw monitor mode > managed mode
    By jpm11 in forum OLD Newbie Area
    Replies: 0
    Last Post: 02-25-2009, 10:20 AM
  3. Alfa 500mw monitor mode > managed mode
    By jpm11 in forum OLD Newbie Area
    Replies: 0
    Last Post: 02-25-2009, 10:08 AM
  4. Injection test: in manged mode or in monitor mode?
    By john99 in forum OLD Newbie Area
    Replies: 2
    Last Post: 05-02-2008, 11:03 AM
  5. Replies: 6
    Last Post: 10-09-2007, 12:31 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •