On Wed, Aug 12, 2009 at 09:53:47PM +0000, Maria Valen wrote:
> Hi
> I am trying to sniff traffic in a wireless network using wireshark.
> Without going into promiscuous mode I can see my neighbour downstream
> traffic i.e. traffic from AP to the end users. Same case even if I use
> promiscuous mode. I dont see any upstream traffic?
> Can somebody please explain this? How do I sniff upstream traffic (
> from end-user to the AP) ?

Promisc mode on wifi is, at best, "undefined" and, typically,

Promisc implies turning off the mac filter and reporting all packets
from the wire. On wireless this doesn't mean much - most drivers will
do nothing, wpa networks use per-user crypto which means your driver
can't possibly do anything intelligent, and you can, at best, only get
data frames that pass your cards filter - which should be only data
packets from the network you're associated with.

That you have drivers in whatever OS that report some sort of peripheral
traffic in promisc mode is an oddity, and isn't really any behavior you
can do anything do. Maybe they connected a stub to try to turn off the
filter in the radio and you're getting whatever it decided to do with
the data packets that it sees. You shouldn't be seeing traffic from
non-associated networks, i'd go so far as to say your driver has bugs in

If you want to actually sniff 802.11 you need an OS and drivers which
support monitor mode, which takes the card out of the role of "being on
a network" and reports raw 802.11 frames. OSX can do this with airport
devices, linux can do it with almost any device, and windows can't do it
with anything, without a) buying special hardware (CACE airpcap) or b)
buying commercial sniffer software ($1-$5k). If you want to sniff w/out
spending money, look into a linux livecd like backtrack.


