if i run a Wi-Fi capture it drops if i login to a SSID

answered 2017-12-05 14:47:08 +0000

sindy
6209 ●5 ●66 ●55

If you want to capture air traffic in monitoring mode, i.e. including the unicast traffic unrelated to the machine on which you capture, not all wireless adapters permit to do that while associated to a particular SSID. If it is enough for you to capture your own traffic, do not activate monitoring mode and you'll be good. If you need both (capture everything and stay connected), your only chance may be to use a second wireless adaptor.

edit flag offensive delete link

Comments

Your edit of the Question should have rather been a Comment to my Answer, so if you can re-post it as such, the clarity for anyone reading this later would be better - I can then delete this comment and re-post its topic-related part for the same reason of clarity.

To the topic - yes and no. Yes because the expected result for monitoring and promiscuous mode is the same, to make the interface let through to the capturing API also frames not intended for itself. No because the necessary configuration instructions to be sent to the driver are different, hence two different names. You can set a wireless driver/adaptor to promiscuous mode but it will not change anything as the lower layers won't receive the frames anyway; to change this, you need the monitoring mode.

As for the list of supported adaptors, I'm afraid no one tracks one ...(more)

sindy ( 2017-12-05 15:54:16 +0000 )edit

I saw your answer:

Thanks. By monitoring mode, I assume you mean promiscuous. My adapter properties is:

Manufacturer: Intel Corporation Description: Intel(R) Dual Band Wireless-AC 8260 Driver Version: 19.50.0.11

Is there a list of support adapters?

cquisenb ( 2017-12-05 16:37:43 +0000 )edit

By monitoring mode, I assume you mean promiscuous.

Yes and no. Yes because the expected result for monitoring and promiscuous mode is the same, to make the interface let through to the capturing API also frames not intended for itself. No because the necessary configuration instructions to be sent to the driver are different, hence two different names. You can set a wireless driver/adaptor to promiscuous mode but it will not change anything as the lower layers won't receive the frames anyway; to change this, you need the monitoring mode.

Is there a list of supported adapters?

I'm afraid no one systematically tracks that. What matters is even a combination of hardware and driver version, and while some (hw, driver) versions do support monitoring mode while associated, some do not and some do not even support monitoring mode as such.

More than that, the world of wireless ...(more)

sindy ( 2017-12-05 19:02:49 +0000 )edit

not all wireless adapters permit to do that while associated to a particular SSID

According to Microsoft's documentation on Network Monitor mode, "While in NetMon mode, the miniport driver can only receive packets based on the current packet filter settings. The driver cannot send packets either on its own or through a call to its MiniportSendNetBufferLists function.", which pretty much means "you can be in monitor mode or you can be associated with a Wi-Fi network, but you can't do both". I.e., it may be a Windows requirement that the driver not allow you to capture in monitor mode while associated with a network, regardless of whether the adapter supports it.

(This is not a limitation imposed by other operating systems. My Mac, running macOS, has no problem doing it.)

Guy Harris ( 2017-12-05 23:14:20 +0000 )edit

add a comment

if i run a Wi-Fi capture it drops if i login to a SSID

1 Answer

Comments

Your Answer

Question Tools

Stats

if i run a Wi-Fi capture it drops if i login to a SSID edit

1 Answer

Comments

Your Answer

Question Tools

Stats

if i run a Wi-Fi capture it drops if i login to a SSID