After setting up promiscuous mode on my wlan card, I started capturing packets with wireshark. But only broadcast packets or packets destined to my localhost were captured. I cannot find the reason why.
Also, after changing to monitor mode, captured packets all had 802.11 headers unlike promiscuous mode where Ethernet frames were captured. I know devices communicate with 802.11 protocols when wireless. But how is it possible that packets captured in wireshark is displayed in Ethernet frames? (when not in monitor mode)
Related
When I use Wireshark to capture traffics with my wlan card with monitor mode already set, it only displays 802.11 frames. However, if I use Wireshark with managed mode wlan(promiscuous mode), it certainly displays 802.3 frames.
I searched for some related information and found out that 'network bridging' allows devices to convert 802.11 wireless packets to 802.3 packets. In case of packet capturing, pcap allows conversion.
(link: How to real time convert wireless packet(802.11) to Ethernet packet(802.3) in windows?)
So, Why is 802.11 to 802.3 frame conversion impossible when using monitor mode(not associated to the wireless network)?
Below are pictures of the situation. Thank you in advance.
Promiscuous mode packet capture
Monitor mode packet capture
For one thing, not all 802.11 packets have Ethernet equivalents; only data packets do. In monitor mode, in addition to data packets, control and management packets can be captured - you're seeing those types of packets in your monitor-mode capture.
For another thing, when capturing in monitor mode on a "protected" network (WEP, WPA), data packets are encrypted (to protect them from being sniffed), and can't be converted to Ethernet packets until they're decrypted. Under some circumstances, Wireshark can decrypt them, but Wireshark doesn't do any conversion from 802.11 to 802.3 in any circumstances - when not capturing in monitor mode, the 802.11 adapter converts data packets to 802.3 packets after decrypting them, and doesn't show non-data packets to the host.
I have installed the new Wireshark 2.2.7. The problem is that when I run a capture on my Wifi, the only packets I can see are from protocol 0x0800 and are of IPv4.
I have all protocols enabled, and I run the capture on my Wifi with no filters.
What can I do to see all of the protocols and the other packets ?
I am trying to send the wifi direct probe packets using raw sockets so that mobile devices will show them in wifi direct device list.
I am trying to capture packets first in Wireshark in monitor mode in order to understand the packet structure and compare with the P2P probe request packet mentioned in Wifi Direct specification.
But I am not able to capture the correct probe packet in Wireshark. Can anyone suggest me what I am missing in my approach?
I wasn't able to capture packets with filter WLAN.addr= XX:XX:XX:XX:XX:XX. (Actual wifi Mac address), as WiFi Direct Mac address is different and the first byte was different.For example If your wifi mac is 00:04:CB:CX:DE:E7 then WiFi-Direct address is 02:04:CB:CX:DE:E7.
Also, I am able to show the device listed when I sent probe response packet to the device.
I want to analyze networks traffic but not by connecting it Just
switch on wifi and sniff the packets (IEEE 802.11 Frames)
in promiscuous mode
I have tried libpcap but it may be internally changing datalinktype as i am giving wifi interface in
descr=pcap_open_live("en1", MAXBYTES2CAPTURE, 1, 512, errbuf);
(as we know mac OS x have en1 as wifi interface )
now when i do this
printf("%s", pcap_datalink_val_to_name( pcap_datalink(descr)));
It gives me result "ethernet"
I have tried to capture packets using wireshark without connecting to my wifi network and it worked!!
I was able to capture Beacon , Acknowledgement and Authentication frames without connecting to my wifi network.
now:
do I have to make a network card driver for that or libpcap can do that ?if yes how?
Is wireshark making some kind of driver for that? if yes please help me to locate that in it's source code.
I have tried Apple's CFNetwork but it too can't capture without connecting to the network.
It will be very helpful if i get some suggestion on some user space code as kernel level coding is a little tuff :(
I am coding on MacOS 10.7 in xCode 4.5.1
Update:
I am already doing this:
descr=pcap_create("e1", errbuf);
pcap_set_rfmon(descr, 0);
pcap_set_promisc(descr, 0);
pcap_activate(descr);
descr=pcap_open_live("en1", 2048, 1, 512, errbuf);
And yes there is a little monitor icon at the wifi and I can sniff the
packets but only when I connect to the network, I want to do the same
when I am not connected to wifi like capturing Beacon and
Acknowledgment Frames means packets through which our network card detects available wifi network
If you're running on Snow Leopard or later (which you are, as you're running Lion), you should use the new pcap_create()/pcap_activate() APIs, and turn on monitor mode by calling pcap_set_rfmon() between the pcap_create() and pcap_activate() calls.
That's what Wireshark 1.6.0 and later do if you check the monitor mode checkbox, and what tcpdump 1.0.0 and later, and TShark and dumpcap in Wireshark 1.6.0 and later, do if you specify the -I command-line flag.
By default, Wi-Fi interfaces on many OSes, including but not limited to OS X, supply Ethernet headers, not 802.11 headers, which is why pcap_datalink_val_to_name(pcap_datalink(descr)) is reporting Ethernet headers. On Linux and OS X, you have to go into monitor mode to get 802.11 headers; on *BSD, you can get 802.11 headers without going into monitor mode.
You do not need your own driver to go into monitor mode on OS X; Wireshark does not supply its own drivers.
I want to sniff wifi packets with wireshark but monitor mode seems to fail. I'm using backtrack 5 and an alpha AWUS036H wifi usb card, i try to sniff my own box without encryption.
Here is what i'm doing to activate monitor mode :
root#root:~# airmon-ng start wlan0
wich seems to be working :
root#root:~# iwconfig mon0
mon0 IEEE 802.11bg Mode:Monitor Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:on
However when i start capturing on mon0 in wireshark i'm only getting broadcast packets.
In capture options the "capture packets in monitor mode" option is grayed out.
I do not understand what's going on. Any Ideas ?
What channel number is your mon0 interface set to?