After setting up promiscuous mode on my wlan card, I started capturing packets with wireshark. But only broadcast packets or packets destined to my localhost were captured. I cannot find the reason why.
Also, after changing to monitor mode, captured packets all had 802.11 headers unlike promiscuous mode where Ethernet frames were captured. I know devices communicate with 802.11 protocols when wireless. But how is it possible that packets captured in wireshark is displayed in Ethernet frames? (when not in monitor mode)
wireshark/tcpdump in Ubuntu, was capturing all 802.11 wifi packets ( beacon, probrequest, probresponse, association request/response and data packets). Now only beacon, prob response packets capturing. pls help, what is the problem for capturing other packets.
I am trying to send the wifi direct probe packets using raw sockets so that mobile devices will show them in wifi direct device list.
I am trying to capture packets first in Wireshark in monitor mode in order to understand the packet structure and compare with the P2P probe request packet mentioned in Wifi Direct specification.
But I am not able to capture the correct probe packet in Wireshark. Can anyone suggest me what I am missing in my approach?
I wasn't able to capture packets with filter WLAN.addr= XX:XX:XX:XX:XX:XX. (Actual wifi Mac address), as WiFi Direct Mac address is different and the first byte was different.For example If your wifi mac is 00:04:CB:CX:DE:E7 then WiFi-Direct address is 02:04:CB:CX:DE:E7.
Also, I am able to show the device listed when I sent probe response packet to the device.
I want to analyze networks traffic but not by connecting it Just
switch on wifi and sniff the packets (IEEE 802.11 Frames)
in promiscuous mode
I have tried libpcap but it may be internally changing datalinktype as i am giving wifi interface in
descr=pcap_open_live("en1", MAXBYTES2CAPTURE, 1, 512, errbuf);
(as we know mac OS x have en1 as wifi interface )
now when i do this
printf("%s", pcap_datalink_val_to_name( pcap_datalink(descr)));
It gives me result "ethernet"
I have tried to capture packets using wireshark without connecting to my wifi network and it worked!!
I was able to capture Beacon , Acknowledgement and Authentication frames without connecting to my wifi network.
now:
do I have to make a network card driver for that or libpcap can do that ?if yes how?
Is wireshark making some kind of driver for that? if yes please help me to locate that in it's source code.
I have tried Apple's CFNetwork but it too can't capture without connecting to the network.
It will be very helpful if i get some suggestion on some user space code as kernel level coding is a little tuff :(
I am coding on MacOS 10.7 in xCode 4.5.1
Update:
I am already doing this:
descr=pcap_create("e1", errbuf);
pcap_set_rfmon(descr, 0);
pcap_set_promisc(descr, 0);
pcap_activate(descr);
descr=pcap_open_live("en1", 2048, 1, 512, errbuf);
And yes there is a little monitor icon at the wifi and I can sniff the
packets but only when I connect to the network, I want to do the same
when I am not connected to wifi like capturing Beacon and
Acknowledgment Frames means packets through which our network card detects available wifi network
If you're running on Snow Leopard or later (which you are, as you're running Lion), you should use the new pcap_create()/pcap_activate() APIs, and turn on monitor mode by calling pcap_set_rfmon() between the pcap_create() and pcap_activate() calls.
That's what Wireshark 1.6.0 and later do if you check the monitor mode checkbox, and what tcpdump 1.0.0 and later, and TShark and dumpcap in Wireshark 1.6.0 and later, do if you specify the -I command-line flag.
By default, Wi-Fi interfaces on many OSes, including but not limited to OS X, supply Ethernet headers, not 802.11 headers, which is why pcap_datalink_val_to_name(pcap_datalink(descr)) is reporting Ethernet headers. On Linux and OS X, you have to go into monitor mode to get 802.11 headers; on *BSD, you can get 802.11 headers without going into monitor mode.
You do not need your own driver to go into monitor mode on OS X; Wireshark does not supply its own drivers.
I want to sniff wifi packets with wireshark but monitor mode seems to fail. I'm using backtrack 5 and an alpha AWUS036H wifi usb card, i try to sniff my own box without encryption.
Here is what i'm doing to activate monitor mode :
root#root:~# airmon-ng start wlan0
wich seems to be working :
root#root:~# iwconfig mon0
mon0 IEEE 802.11bg Mode:Monitor Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:on
However when i start capturing on mon0 in wireshark i'm only getting broadcast packets.
In capture options the "capture packets in monitor mode" option is grayed out.
I do not understand what's going on. Any Ideas ?
What channel number is your mon0 interface set to?