Wireshark-users: [Wireshark-users] Problems with sniffing wifi traffic
From: Jürgen Strass <jrg718@xxxxxxx>
Date: Tue, 08 Apr 2008 13:42:14 +0200
Hello, I'm entirely new to wifi traffic sniffing. I've carefully read
the FAQ, the corresponding wiki article, some mailings in the archives
and several wiki pages at http://www.aircrack-ng.org. Nevertheless,
there remain some open questions.
My wireless AP has a wired connection to a DSL router. I'm able to connect to the AP over wifi using two different client machines (laptops), one running Xubuntu Linux, the other running Windows. The network is WEP protected and the AP doesn't broadcast its SSID. I'd like to use the laptop running Linux (Zydas ZD1211b chip) to sniff the wireless traffic between the Windows laptop and the AP.
My first idea was to connect myself to the network in the usual way and then sniff on the wifi device using promiscuous mode. Wireshark successfully shows all the Ethernet packets entering and leaving my own machine, which includes broadcast packets sent to the whole network. So I'm also able to see the broadcast packets of the Windows client. I had expected that I could also see HTTP traffic from the Win client to the Internet, being forwarded by the (wired) DSL router. It doesn't work. Though I still don't fully understand why, I've read that this might have something to do with the AP and DSL router being switches. Is this true? But isn't the air like a big HUB in wifi networks? Anyhow, I've also tried to sniff without using promiscuous mode, because I read that this might cause problems with some cards. It doesn't work either.
The next idea I had was to deconnect from the network entirely and to put my card into monitor mode. As I've understood monitor mode, it should capture *all* packets "flying through the air". So I had expected this to be the solution. According to the wiki pages, I issued a "iwconfig iface mode monitor channel 11". Then I entered my WEP key into the Wireshark preferences dialog. I can see beacon packets from my own AP and from several APs in my surrounding. I'm also able to see my Windows client probing for the network and I can see TCP broadcast messages, ARP and such, successfully decrypted by Wireshark. But I still can't see any HTTP traffic from the Windows client. Again, I've tried to set and unset promiscuous mode on the card, using "ifconfig iface [-]promisc".
Somewhere in the FAQ and archives I read that some drivers filter all traffic that isn't directed to them, even when put into promiscuous mode. Does anybody know if this is the case for the ZD1211b? The only problems known to me with the ZyDAS chip are that it isn't capable of injecting packets. On the aircrack-ng page, none other problems are mentioned. But I have tried airodump-ng and Kismet, too. Both don't seem to capture any HTTP packets from my Windows client.
Could anybody tell me please if I'm obviously doing something wrong? Many greetings, Jürgen
- Prev by Date: Re: [Wireshark-users] [Off-topic] OpenPacket.org 1.0
- Next by Date: [Wireshark-users] wireshark statistic function (sum)
- Previous by thread: Re: [Wireshark-users] wireshark and tcpdump
- Next by thread: [Wireshark-users] wireshark statistic function (sum)
- Index(es):