rupesh gautam wrote:
I have captured data in promiscuous mode ( airnonet card with fedora )
but i am unable to recognize packets between wired ethernet and
wireless(because ethreal captures data from both wired and wireless in
promiscuous mode)....
The only way Ethereal - or any *other* libpcap-based application - will
capture data from a wired Ethernet is if
1) you told it to capture on a wired Ethernet adapter, e.g. eth0 on Linux;
2) this is on Linux (which, on this case, it is) and you're capturing
on the "any" device;
3) there's a bug in your OS and if you capture on one interface with
libpcap it also supplies packets from other OSes.
how can we recognize that??? in my data ethereal shows only Ethernet II
type........
If your capture shows "Ethernet II" rather than "Linux cooked" or
whatever I called it, you're not capturing on the "any" device, so that
leaves 1) or 3).
3) is, I suspect, unlikely, so if you're seeing packets that you know
are being captured from the wired Ethernet adapter, it's almost
certainly because you told Ethereal to capture on that adapter.
However, if you did that, you won't see packets from the Aironet adapter
unless you told it to capture on that (for the same 3 reasons that apply
to traffic from a wired adapter).
So why do you think it's capturing data from a wired Ethernet? Is that
because the wired Ethernet packets are being bridged to the wireless
network by an access point that's also plugged into a wired Ethernet?
If so, then there really isn't any difference between those packets and
packets that were sent on the wireless network by a host on that network
rather than an access point, other than the source MAC address - they're
both transmitted on the wireless network as 802.11 packets, without any
special "this is bridged" flag (as far as I know, at least).
If you want to distinguish between packets sent by hosts on the wireless
network and packets bridged onto the wireless network by an access
point, you might be able to do it by enabling address resolution for MAC
addresses (if it's not enabled already) and guessing based on the
manufacturer name.
what is this Ethernet II type...is it 802.3 or 802.11.............
Not 802.11. As I said in my earlier mail, the adapter, or the driver -
probably the adapter (as configured by the driver) - is replacing the
802.11 header with an Ethernet header. I suspect it's possible to
configure the adapter to supply 802.11 headers regardless of whether the
adapter is in monitor mode or not (it's been a while since I looked at
the FreeBSD Aironet driver, but I think that's possible), but the Linux
driver might not support that.
The term "Ethernet II" often refers to Ethernet frames in which the
16-bit type/length field contains a packet type, and the term "802.3"
often refers to Ethernet frames in which it contains a packet length,
even though the IEEE 802.3 standard supports both.
