Ask Your Question
0

WLAN setup only seeing local & broadcast traffic in promiscuous mode

asked 2020-02-27 15:21:42 +0000

Evan gravatar image

I'm running Wireshark on my wpa2 wifi network on windows. I'm using an alfa that IS capable of promiscuous and monitor mode. When capturing, I only see local traffic (to and from my PC) and broadcast traffic (Destination ip: 255.255.255.255, as well as arp requests, DHCP, multicast packets). I am in promiscuous mode, but still nothing. Why isn't this working? I have tried setting up decryption, but that didn't work either. I've tried multiple network adapter, all 802.11 channels, and even monitor mode (which automatically unchecks itself). Any ideas are greatly appreciated.

edit retag flag offensive close merge delete

Comments

I'm using an alfa that IS capable of promiscuous and monitor mode.

Presumably some documentation says it's capable of promiscuous mode. What does the documentation say promiscuous mode (promiscuous mode, not monitor mode) means for that adapter?

Guy Harris gravatar imageGuy Harris ( 2020-02-27 18:26:21 +0000 )edit

It's advertised as an adapter for promiscuous, monitor (rfmon), and packet injection. It is the highest recommended card I could find, and reviews are all great. It is an Alfa Awus036nha if you want to see if you can find any additional info. Thanks

Evan gravatar imageEvan ( 2020-02-27 19:09:26 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-02-27 23:11:59 +0000

Guy Harris gravatar image

Alfa's page for the AWUS036NHA says the chipset is the Atheros AR9271. The AR 9271 data sheet has a PROMISCUOUS bit in the receive filter register, described as "Promiscuous receive enable; Enable reception of all frames, including errors", which sounds like monitor mode.

And, in fact, the Linux ath9k driver turns that bit on for monitor mode.

On Windows, however, it's not clear whether "promiscuous" mode, as opposed to monitor mode, is supported on 802.11 adapters. To quote the page for the OID_GEN_CURRENT_PACKET_FILTER OID:

Note When the miniport driver is in Native 802.11 modes other than NetMon, and OID_GEN_CURRENT_PACKET_FILTER is set, the driver must not fail the set request if any promiscuous or raw filter settings are enabled in the OID data.

However, Guidelines for 802.11 Promiscuous Receive Operations says:

Note It is only valid for the miniport driver to enable the NDIS_PACKET_TYPE_PROMISCUOUS, NDIS_PACKET_TYPE_802_11_PROMISCUOUS_MGMT, or NDIS_PACKET_TYPE_802_11_PROMISCUOUS_CTRL packet filters if the driver is operating in Network Monitor (NetMon) or Extensible Access Point (AP) modes.

So they're saying both "the driver must allow NDIS_PACKET_TYPE_PROMISCUOUS to be set in modes other than NetMon mode" and "NDIS_PACKET_TYPE_PROMISCUOUS is only valid in NetMon and AP modes". I have some vague memory that the first of those used to say "must fail the request" rather than "must not fail the request", which would be more consistent with the second of those.

So it may be that promiscuous mode, in the NDIS_PACKET_TYPE_PROMISCUOUS sense, doesn't work on 802.11 adapters unless you're in monitor mode. That's the mode that's used by WinPcap and Npcap if a caller turns on "promiscuous mode" (it's the correct mode to use for Ethernet adapters), so turning on "promiscuous mode" in sniffers using libpcap/WinPcap/Npcap, such as Wireshark, may not work for 802.11 adapters.

Now why monitor mode isn't working is another matter. WinPcap doesn't support monitor mode; if you have WinPcap installed, un-install it, and install Npcap. This wiki page says it may or may not work, depending on the Windows version and the driver. (I think there's an error with the "Firmware/Driver version" and "Windows version" columns, where some of the items have the values swapped - including the Alfa item.)

edit flag offensive delete link more

Comments

First off, thank you for your answer. I guess you can't sniff wirelessly on windows. After some research, I finally found an answer. Sort of. Running Wireshark with admin privileges lets me turn on monitor mode. The problem now is, when I go start the capture, I get no packets. So, doing what Wireshark says, I went to turn off promiscuous mode, and then I get a blue screen of death. Every time. "What failed: athurx.sys" which is for the Alfa card. I guess it's just not compatible on windows.

Evan gravatar imageEvan ( 2020-02-27 23:24:15 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-02-27 15:21:42 +0000

Seen: 1,894 times

Last updated: Feb 27 '20