Wireshark-users: [Wireshark-users] Can't capture PAP packets (even in monitor!)
From: Kenin Tuökko <fmt9@xxxxxxxxx>
Date: Tue, 5 Feb 2008 22:55:30 +0200

I'm testing a kind of insecure wireless ISP. It uses PAP as authentication protocol (PPPoE is used) and doesn't use any MAC filter, allowing any intruder to gain access to their network. I'm trying to convince them to use a stronger form of authentication, such as some EAP. This provider has already been hacked some months ago, after that they started using DHCP and PPPoE. So, I'm trying to capture the PAP packets to show to these lazy administrators how easy it is to sniff passwords in environments like mine.

But, even in monitor mode, I cannot capture PAP Authenticate-Request packets other than those sent by my machine. I can capture some PAP Authenticate-Ack and even PPPoE Active Discovery Initialization packets, but nothing of PAP requests or nak's. All other protocols are captured OK.

If I do not use monitor mode and set Wireshark to promiscuous mode, the same thing occurs, except that I can't capture HTTP packets as well! Only those sent by my own machine. Again, all other protocols (except PAP requests and nak's) are captured with no trouble.

This is a 30.000 habitants city, served only by 3 providers (including this one), all wireless. There are clients logging in and off all the time, so there is no reason in my unability to capture PAP requests coming from the clients. I'm SURE this provider uses PAP and does not accept CHAP or EAP, so I'm really puzzled by this problem.

I'm using:

Linux 2.6.23.13 (Slackware 10.0)
Wireshark 0.99.7
Libpcap 0.9.8
Wireless card Texas Instruments ACX100 (driver version 20080112)

I've already tested all SSIDs and all channels used by this ISP. I can do nothing more, since I have only one machine to my tests. Any suggestion?


--------------------
Kenin Tuökko
Pen-tester
Estonia