Skip navigation.

Wireless Card Promiscuous Mode

Wednesday, 12. October 2005, 18:30:50

,

Set Promiscuous mode
I found out that in adhoc mode, Cisco Aironet can overhear other's data transmissions but not IEEE 802.11 control traffic (Using ethereal). My question is: promiscuous mode with respect to the data traffic is by default? So maybe for watchdog detection we don't need to configure the wireless card because we only care about the network layer (routing protocol) traffic?

Using wireless monitor mode in Linux with Cisco cards


Cisco PCM340/350
The difference between those two cards is the transmit power level. On the PCM340 power is limited to 30mW, whereas the PCM350 can output 100mW. For monitoring applications obviously that doesn't matter a great deal.

When used as a normal wireless client, the firmware will automatically find the best access point based on signal quality and associate with it. This feature extends to monitor mode as well, so it's best to select the SSID name first and then let the card figure out the correct channel. Manually setting the channel doesn't seem to be honored.

Firmware version 4.25.30 seems to work.

Monitor mode in Linux
The driver named airo may be used for Cisco cards. For some reason, this driver creates two devices when active, one of them is named ethX as normal and the second one named wifiX. The wifiX device must be used when monitor mode is enabled whereas the ethX device is used when the card is used as a normal wireless client. As far as I can tell there is no benefit to having a separate interface, since the card firmware will not allow frames to be transmitted while in monitor mode.

To enable monitor mode with these cards and start capturing:

  shell# iwconfig eth0 mode monitor 
  shell# iwconfig eth0 essid <SSID>
  shell# ifconfig wifi0 up
  shell# ifconfig eth0 up
  shell# tcpdump -n -i wifi0 -s1500 -w <savefile>

In the case that your wireless-tools support isn't capable of understanding the above "mode monitor" command, you can enable monitor mode by using the following:

  shell# echo "Mode: y" > /proc/driver/aironet/eth0/Config

The link type should then change to IEEE802_11.



How do I put my Cisco card into monitor mode?

  echo 'Mode: r' > /proc/driver/aironet/eth1/Config
  echo 'Mode: y' > /proc/driver/aironet/eth1/Config

If you want to capture traffic for any service set rather than just the service set to which the card belongs, use Mode: y rather than Mode: r. Substitute your device name as appropriate.


What is Kismet?
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic. 

  apt-get install kimset


Ethereal WLAN (IEEE 802.11) capture setup
Ethereal
setup

AirSnort
Airsnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.

What is the difference betwen monitor and promiscuous mode?


Monitor mode enables a wireless nic to capture packets without associating with an access point or ad-hoc network. This is desireable in that you can choose to "monitor" a specific channel, and you need never transmit any packets. In fact transmiting is sometimes not possible while in monitor mode (driver dependent). Another aspect of monitor mode is that the NIC does not care whether the CRC values are correct for packets captured in monitor mode, so some packets that you see may in fact be corrupted.

Promiscuous mode allows you to view all wireless packets on a network to which you have associated. The need to associate means that you must have some measn of authenticating yourself with an access point. In promiscuous mode, you will not see packets until you have associated. Not all wireless drivers support promiscuous mode.



Some Links
Linux and Cisco Aironet wireless cards
Linux and Lucent wireless cards
Wild Packets
Airopeek
Protocol Analysis Institute

3D acceleration of ATI card in DebianBuild Kernel

How to use Quote function:

  1. Select some text
  2. Click on the Quote link

Write a comment

Comment
(BBcode and HTML is turned off for anonymous user comments.)

If you can't read the words, press the small reload icon.


Smilies