On Tue, Aug 13, 2002 at 07:52:57PM -0700, Dale Cabell wrote:
> My question is how is net stumbler doing this?
Doing what?
Does it actually *display* raw 802.11 traffic, or otherwise indicate
that it's actually reading raw 802.11 traffic, or does it just display
information that could be obtained either by
1) getting information from the driver using standard
interfaces, on some versions of Windows
or
2) directly poking the card, on Windows OT (95, 98, Me)?
If it just does that, then:
on Windows NT (NT 5.0 and 5.1, at least, i.e. Windows 2000 and
Windows XP, if not NT 4.0 or earlier) it may just be fetching
that information using standard NDIS mechanisms (it appears
that 802.11 driver support for the OIDs OID_802_11_BSSID_LIST,
to get a list of BSSIDs and attributes, and
OID_802_11_BSSID_LIST_SCAN, to get the driver to scan for
BSSIDs, are "mandatory" for Windows XP and "Recommended" for
Windows 2000, Windows NT 4.0, and Windows 9x)
on Windows OT, it might be using that mechanism if the
recommendations were followed for the driver, and directly
poking the card otherwise (which is tantamount to providing your
own driver).
The "IEEE 802.11 Network Adapter Design Guidelines for Windows XP":
http://www.microsoft.com/hwdev/tech/network/802x/80211_netadapt.asp
doesn't seem to show anything about putting cards into monitor mode,
however, so just because NetStumbler can dig some information out of the
card using standard interfaces, that doesn't mean those interfaces can
be used to get raw 802.11 packets from the card into a program.
In fact, the README.html file that comes with NetStumbler says:
Q3. What 802.11 frames does Network Stumbler send?
A3. It sends out a broadcast probe about once a second, and
reports the responses. When it is connected to a BSS
network, it will attempt to get the name of the access point.
When it is connected to an IBSS network, it will try to get
the names of all locally visible peers.
Q4. Does Network Stumbler listen for beacons?
A4. Not this version.
Q5. Does Network Stumbler put my card into promiscuous mode?
A5. Not this version.
so it could well just ask the card to send out those frames and report
back what it sees, but not put the card into a mode where it can see the
raw frames.
Or, as they speak of supporting specific chipsets, maybe it pokes the
card directly (although I'm not sure how easy it'd be to do that on NT),
or maybe it uses some non-standard interface that the OrInOcO driver
supports and that's either documented or was reverse-engineered that
does that. (Later versions of the OrInOcO firmware appear not to let
you go into Monitor Mode - or, at least, nobody from Linuxland has
figured out how to do it, and neither have the folks at WildPackets, as
they say their special driver, for their AiroPeek sniffer, for OrInOcO
cards doesn't work with 7.x or 8.x firmware.)
