Re: 802.11B and libpcap

From: Michael H. Warfield (mhwat_private)
Date: Fri Sep 14 2001 - 15:24:13 PDT

Next message: Chris Kuethe: "Re: Ethereal Help"

Previous message: Rainer Duffner: "Problems on the DOS-Prompt"
In reply to: Ronny Vaningh: "802.11B and libpcap"
Next in thread: Bill Pennington: "Re: 802.11B and libpcap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Sep 13, 2001 at 10:24:01PM +0200, Ronny Vaningh wrote:
> Hi

> I want to capture the 802.11B link layer data with etherreal.
> I've read that you need to patch your libpcap for use with 802.11B
> networks.

	More than just that, I'm afraid.

> However on the tcpdump site I could not find any pointers to this
> subject.

	Not real surprising.  It's a little more complicated that
simply patching libpcap.  You also have to have a patched driver.

> Could anybody help me out here.

	Seems like everything you need should be in the AirSnort sources.

> Also, what is so special in the PRISMII cards that airsnort only works
> with them, and can you recommend any card in particular.

	The Prism cards can be put into a mode where they will report
the RF framing including access point polling and encrypted frames.  You
can't do this simply by putting the card into promisc mode.  Simple
promisc mode just looks like an ethernet wire and you're missing the
RF layer that it's encapsulated in.

	You also require a modified driver to put the card into the RF
Monitor mode and that's also the reason for needing the modified libpcap,
because you get the additional RF information.

	Cisco Aironet cards can also be put into this mode (although
AFAIK, AirSnort doesn't support it) but you need a specially patched
Aironet driver and you still need the patched libpcap.

	Cards based on the Lucent chipset do not work, with the possible
exception of some older firmware, because we don't know how to get them
into RF Monitor mode.  It should be possible or the $@#$# access points
(which use the same cards) wouldn't work.  So far, I don't know of anyone
who has figured it out beyond some remarks about a method for some older
Lucent WaveLAN cards that doesn't work on the newer cards.

> Thanks 

> Ronny Vaningh
> Ronny@-do-no-spam-netrusion.com

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhwat_private
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Chris Kuethe: "Re: Ethereal Help"
Previous message: Rainer Duffner: "Problems on the DOS-Prompt"
In reply to: Ronny Vaningh: "802.11B and libpcap"
Next in thread: Bill Pennington: "Re: 802.11B and libpcap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 16 2001 - 23:15:48 PDT