Ask Your Question
0

Sniffing (forwarded) wifi packets using promiscuous mode

asked 2018-05-20 23:50:27 +0000

anonymous user

Anonymous

I have 3 network participants:

  • An open (no WEP, no WPA, no Encryption ) wireless access point (AP) at 10.0.0.1
  • Client A at 10.0.0.2, sniffing with promiscuous mode turned on
  • Client B at 10.0.0.3

All hosts are running Linux.

Suppose A sends an ICMP echo request to B. I would expect to receive 4 packets (ignoring the wireless Dot11 acks, etc...):

  • ICMP echo request from A -> AP
  • ICMP echo request from AP -> B
  • reply from B -> AP
  • reply from AP -> A

But all I get is a request from A -> B and a reply from B -> A. I cannot seem to capture the intermediate (forwarded) packets.

Further testing showed that while in promiscuous mode client A does not seem to capture any unicast packets that do not originate or end at A. Putting A's interface into monitor mode shows all expected packets as well as a lot of unneeded others, at the cost of being able to actually send any data.

While one obvious solution might be to use a second wireless adapter on A dedicated to monitoring, I do not currently have access to one. From everything i have read so far promiscuous mode "should" work, capturing all packets associated with AP's network. Are the Packets somehow pre-filtered by the interface adapter or the kernel? And if yes, can this be circumvented?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-05-21 00:12:19 +0000

Bob Jones gravatar image

Promiscuous mode on wireless interfaces is a little different than on wired interfaces. For wireless interfaces you need monitor mode as well to pick up unicast traffic from other devices then promiscuous mode to send it up the stack to be collected. There are drivers out there on Linux that have in the past, or currently, only support monitor mode (and not promiscuous mode) so only group traffic is sent up for collection.

You already described your solution - get another adapter for traffic collection. I would be interested in what you read that indicates that your setup would be successful; it is known not to be effective. When not in monitor mode, unicast traffic for other hosts is dropped. I don't know if it is in hardware or the driver or it might vary by specific device, but it is not available for collection in any event.

Also capturing in monitoring mode and using an interface is sometimes possible, but the results are usually weird and can vary wildly. Sometimes only certain traffic is picked up, as in maybe one direction, or no control frames, or the frames have no radiotap header, etc. All sorts of unusual behavior so it is best to have a separate capture system.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-05-20 23:50:27 +0000

Seen: 1,122 times

Last updated: May 21 '18

Related questions

Can I capture WIFI Direct P2p packets?

Confused about wifi sniffing

Packet lost while monitoring a Wifi connection

Help to set up a "pass through bridge" sniffer

promiscuous mode windows 10 not working

no data packet except broadcast or multicast

How to detect packets only from devices connected to my wifi

Detect non-connected devices in range of WiFi (for counting purposes)

build wireshark on linux can't find Qt includes

Capture TCP traffic from other machines over WiFi