Wireless Security
Why do I see only downstream traffic? Aug 12 2009 09:53PM
Maria Valen (maria valen006 gmail com) (2 replies)
Re: Why do I see only downstream traffic? Aug 12 2009 11:09PM
Mike Kershaw (dragorn kismetwireless net)
On Wed, Aug 12, 2009 at 09:53:47PM +0000, Maria Valen wrote:
> Hi
>
> I am trying to sniff traffic in a wireless network using wireshark.
> Without going into promiscuous mode I can see my neighbour downstream
> traffic i.e. traffic from AP to the end users. Same case even if I use
> promiscuous mode. I dont see any upstream traffic?
>
>
> Can somebody please explain this? How do I sniff upstream traffic (
> from end-user to the AP) ?
>

Promisc mode on wifi is, at best, "undefined" and, typically,
"worthless".

Promisc implies turning off the mac filter and reporting all packets
from the wire. On wireless this doesn't mean much - most drivers will
do nothing, wpa networks use per-user crypto which means your driver
can't possibly do anything intelligent, and you can, at best, only get
data frames that pass your cards filter - which should be only data
packets from the network you're associated with.

That you have drivers in whatever OS that report some sort of peripheral
traffic in promisc mode is an oddity, and isn't really any behavior you
can do anything do. Maybe they connected a stub to try to turn off the
filter in the radio and you're getting whatever it decided to do with
the data packets that it sees. You shouldn't be seeing traffic from
non-associated networks, i'd go so far as to say your driver has bugs in
it.

If you want to actually sniff 802.11 you need an OS and drivers which
support monitor mode, which takes the card out of the role of "being on
a network" and reports raw 802.11 frames. OSX can do this with airport
devices, linux can do it with almost any device, and windows can't do it
with anything, without a) buying special hardware (CACE airpcap) or b)
buying commercial sniffer software ($1-$5k). If you want to sniff w/out
spending money, look into a linux livecd like backtrack.

-m

--
Mike Kershaw/Dragorn <dragorn (at) kismetwireless (dot) net [email concealed]>
GPG Fingerprint: 3546 89DF 3C9D ED80 3381 A661 D7B2 8822 738B BDB1

Experts in ancient Greek culture say that people back then didn't see their
thoughts as belonging to them. When they had a thought, it occurred to them
as a god or goddess giving them an order. Apollo was telling them to be
brave. Athena was telling them to fall in love.

Now people hear a commercial for sour cream potato chips and rush out to buy.
-- Chuck Palahniuk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iEYEARECAAYFAkqDS7QACgkQ17KIInOLvbGeEQCg3M0t80LhikeH+MUxevQ9vwh5
fTAAnibBqgn06aUDPwcgB+dgvpHEyCPd
=1TMD
-----END PGP SIGNATURE-----

[ reply ]
Re: Why do I see only downstream traffic? Aug 12 2009 10:29PM
Dusan Mulac (dmulac gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus