I have 3 network participants:
- An open (no WEP, no WPA, no Encryption ) wireless access point (AP) at 10.0.0.1
- Client A at 10.0.0.2, sniffing with promiscuous mode turned on
- Client B at 10.0.0.3
All hosts are running Linux.
Suppose A sends an ICMP echo request to B. I would expect to receive 4 packets (ignoring the wireless Dot11 acks, etc...):
- ICMP echo request from A -> AP
- ICMP echo request from AP -> B
- reply from B -> AP
- reply from AP -> A
But all I get is a request from A -> B and a reply from B -> A. I cannot seem to capture the intermediate (forwarded) packets.
Further testing showed that while in promiscuous mode client A does not seem to capture any unicast packets that do not originate or end at A. Putting A's interface into monitor mode shows all expected packets as well as a lot of unneeded others, at the cost of being able to actually send any data.
While one obvious solution might be to use a second wireless adapter on A dedicated to monitoring, I do not currently have access to one. From everything i have read so far promiscuous mode "should" work, capturing all packets associated with AP's network. Are the Packets somehow pre-filtered by the interface adapter or the kernel? And if yes, can this be circumvented?