Ask Your Question

Confused about wifi sniffing

asked 2018-12-17 17:44:14 +0000

updated 2018-12-17 18:02:39 +0000

Guy Harris gravatar image

Hi, First of all, I've read the documentation and I've some doubts about the use of the monitor or promiscuous mode. I ever known that the monitor mode is for sniffing all radio signals, included the unauthenticated networks (such as airodump flow). Instead the promiscuous mode is for grab all the packets on the same network. Well, I tried both of them, but no one works.

A) Monitor mode I used the alfa network ant (model: aws036h) in monitor mode setting the wpa-psk of the target network. I see a lot of packets but they seems to be unreadable like this:

201058  239.024383028   RealtekS_14:b5:b5 (00:e0:4c:14:b4:b3) (TA)  AsustekC_a5:af:a9 (1c:b1:2c:a5:ae:a9) (RA)  802.11  58  802.11 Block Ack, Flags=........C

B) Promiscuous mode I only see my outgoing packets. For example, if I try to visit a HTTP website on my local machine I can see the plaintext content of packets.

I need to understand if i'm failing the approach or I need a paritcoular configuration to sniff the wifi local network. Another think, i also tried to use ettercap and sometimes, with the comand:

# ettercap -T -M ARP /xx.xx.xx.xx//

I can see the packets correctly from foreign machine/s but other times the victim machine seems to be dossed like the arp poisoning is working bad. Why ?

Thanks for now

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-12-17 18:07:06 +0000

Guy Harris gravatar image

Your monitor mode packet is perfectly readable - it's a Block Ack packet, which is a type of control packet for 802.11. In monitor mode, you'll see lots of packet types, many of which are management and control packets, rather than data packets. You can try capturing with a capture filter of "type data", which should discard all the management and control packets.

Not all 802.11 adapters support a useful promiscuous mode; perhaps yours doesn't.

edit flag offensive delete link more


Why in my pcapng file i don't have any EAPOL ?

Marcolino gravatar imageMarcolino ( 2018-12-17 23:36:17 +0000 )edit

Because, while you were capturing, no devices joined the network.

If you want to see some other machine's traffic, you may have to disconnect it from the network and then reconnect it - for example, "turn off" a phone (which, for smartphones, probably just means "sleep") and turn it back on again, or clamshell and re-open a laptop (same thing).

Guy Harris gravatar imageGuy Harris ( 2018-12-18 09:32:22 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-12-17 17:44:14 +0000

Seen: 90 times

Last updated: Dec 17 '18