Ask Your Question
0

wireshark enabled "promisc" mode but ifconfig displays not

asked 2020-06-03 18:17:16 +0000

I am trying to watch the data transfer between two stations connected to a wifi router.

My Ubuntu is also connected to the same router, using the same wifi ESSID.

Wireshark is configured "enable promiscous mode on all interfaces" in "capture options".

I see some traffic to/from my machine and not the remote traffic I want.

I use "ifconfig" command while WireShark is running, and do NOT see "PROMISC" flag :

wlx8416f90e4d75: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

Is it an indication that the network card does not accept "promiscous" mode ?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-06-03 18:37:48 +0000

Guy Harris gravatar image

There's promiscuous mode and there's promiscuous mode.

Originally, the only way to enable promiscuous mode on Linux was to turn on the IFF_PROMISC flag on the interface; that flag showed up in the output of command such as ifconfig.

In the 2.2 kernel (i.e., a long time ago), a second mechanism was added; that mechanism does not set the IFF_PROMISC flag, so the interface being in promiscuous mode does not show up in the output of ifconfig, and it does not require promiscuous mode to be turned off manually - closing the last descriptor on which promiscuous mode was requested suffices.

libpcap uses the second mechanism if it's available; tcpdump and Wireshark both use libpcap to do packet capturing, so they'll use the second mechanism on any Linux system with a 2.2 or later kernel. Therefore, neither tcpdump nor Wireshark will, when capturing in promiscuous mode, cause ifconfig to show "PROMISC".

However:

edit flag offensive delete link more

Comments

Thanks, mr Harris - your answer is very clear - some details o'mine : 1) ok, I can be in PROMISC mode, even I dont see it in IFCONFIG 2) I am not in a switched eth - it is wifi 3) I am trying to use "monitor mode", under this description

http://www.aircrack-ng.org/doku.php?i... ... with not too much success : a) I see a lot more traffic, but not the traffic from Alexa to TP-Link "smart Switch" (thru AWS I think) Yes, this wifi uses encryption, so I shall read your last link very carefully Thanks a lot.

Sebastianet gravatar imageSebastianet ( 2020-06-04 19:46:05 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-06-03 18:17:16 +0000

Seen: 49 times

Last updated: Jun 03