Re: [PEN-TEST] wireless LAN traffic sniffing

From: Dawes, Rogan (ZA - Johannesburg) (rdawesat_private)
Date: Wed May 02 2001 - 06:16:13 PDT

Next message: Frank Knobbe: "Re: [PEN-TEST] Replaying arbitrary packets"

Previous message: stevephelpsat_private: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Next in thread: Joe Shaw: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Next in thread: Frank Knobbe: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Reply: Joe Shaw: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Not so.

Most (?) token-ring cards (at least, those based on the IBM Tropic chipset)
are physically unable to enter promiscuous mode, regardless of the OS.

It may be that Wireless cards have similar restrictions.

Rogan

-----Original Message-----
From: Bram Shirani [mailto:kamat_private]
Sent: 01 May 2001 07:42
To: PEN-TESTat_private
Subject: Re: [PEN-TEST] wireless LAN traffic sniffing


On Fri, Apr 27, 2001 at 09:26:14PM -0500, Jacob Ansari said sometin like...
>      Hi everyone,
>
>      Maybe I'm really missing something, but I can't seem to get my 3com
> AirConnect wlan pcmcia card to operate in promiscuous mode.

You can force (as far as I know, I've tested quite a few cards) any card
into prom. mode, you just need the correct tools. Under linux or OpenBSD,
Sniffit or tcpdump will do this for you.

If a card will not "enter prom. mode" it's nothing to worry about, you don't
_HAVE_ to be in that mode to sniff traffic, it's more just a line that lets
you know it's now sniffing and logging all traffic passing through.

For example, in unix, you can force a card into prom. mode using ifconfig (i
forget the flag). This, however means nothing if you don't have a method of
capturing and logging the data. All it does is open the card to see
everything, but you won't actually see anything unless you are configured to
do so.

By that same token, when you load sniffit while tail -f'ing your syslog, you
won't see a line which says "eth0 enterming promiscuos mode." However, when
you load tcpdump, you will.

Another example, in Windows. If you load etherpeek or ethereal, you will
sniff all traffic on your network unless it's switched and specificly setup
to not allow traffic sniffing. There's no "promiscuous mode" to be entered
as far as an actual setting on your card, it's just sniffing, and the
program handles the hardware interaction part of it.

Bottom line, any card can sniff, if you've got the right tools. Don't get
hung up on the output letting you know that the card is.

--
kam at aversion.net
http://www.aversion.net

Next message: Frank Knobbe: "Re: [PEN-TEST] Replaying arbitrary packets"
Previous message: stevephelpsat_private: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Next in thread: Joe Shaw: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Next in thread: Frank Knobbe: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Reply: Joe Shaw: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 03 2001 - 00:44:58 PDT