Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Sniffing (forwarded) wifi packets using promiscuous mode

I have 3 network participants:

  • An open (no WEP, no WPA, no Encryption ) wireless access point (AP) at 10.0.0.1
  • Client A at 10.0.0.2, sniffing with promiscuous mode turned on
  • Client B at 10.0.0.3

All hosts are running Linux.

Suppose A sends an ICMP echo request to B. I would expect to receive 4 packets (ignoring the wireless Dot11 acks, etc...):

  • ICMP echo request from A -> AP
  • ICMP echo request from AP -> B
  • reply from B -> AP
  • reply from AP -> A

But all I get is a request from A -> B and a reply from B -> A. I cannot seem to capture the intermediate (forwarded) packets.

Further testing showed that while in promiscuous mode client A does not seem to capture any unicast packets that do not originate or end at A. Putting A's interface into monitor mode shows all expected packets as well as a lot of unneeded others, at the cost of being able to actually send any data.

While one obvious solution might be to use a second wireless adapter on A dedicated to monitoring, I do not currently have access to one. From everything i have read so far promiscuous mode "should" work, capturing all packets associated with AP's network. Are the Packets somehow pre-filtered by the interface adapter or the kernel? And if yes, can this be circumvented?