Frank, Monitor mode allows raw capture of 802.11 frames. This includes beacons, probes, and additional wireless headers. Promiscuous mode captures ethernet frames within the 802.11 fame, but skips the 802.11 headers. Another difference is that standard pmode allows the card to still RX and TX while capturing -- but monitor mode should put the wireless card in RX only mode. There are two ways to read these frames from monitor mode: 1 - With prism based cards and linux-wlan, prismdump can be used to capture the 802.11 frames. Ethereal can then be used to decode the frames into a readable format. [This is what the current public WEPCrack uses] 2 - Libpcap can be patched to retrieve the 802.11 info directly. [This is what Airsnort uses, as well as the next release of WEPCrack]. linux-wlan-ng can be patched to do this, and the Cisco linux drivers also have this capability. There is a difference between the Cisco and Wlan libpcap data because both cards add an additional vendor header to the 802.11 frame. I currently have code that works with prismdump, linux-wlan libpcap, and Cisco aironet libcap that I will be releasing to our site soon. Supposedly it is possible to configure Symbol based cards [Symbol, Nortel, Intel, 3Com] for monitor mode as well, but I have not been able to find drivers that can do this yet. Anton Rager WEPCrack author wepcrack.sourceforge.net --- Frank Knobbe <FKnobbeat_private> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > -----Original Message----- > > From: Robert van der Meulen > [mailto:rvdmat_private] > > Sent: Sunday, September 16, 2001 8:33 AM > > > > Quoting Ronny Vaningh (ronny.vaninghat_private): > > > Also, what is so special in the PRISMII cards > that airsnort > > only works > > > with them, and can you recommend any card in > particular. > > > > The only thing i could make out from the driver > sources of > > the prismII and > > the hermes-based cards, is that the 'MONITOR' mode > currently > > only works in > > the prismII driver; you need 'MONITOR' mode for > stuff like this. > > > Robert, > > what exactly is the different then between 'monitor' > mode and > promiscuous mode? I took a look at AirSnort, and it > seems to be using > raw sockets or something, but for sure not libpcap. > Was that decision > made just out of convenience? Couldn't AirSnort (or > at least its > packet acquisition piece) be re-written to use > libpcap? Then it > should work with other hacked drivers like the Cisco > as well. > > Regards, > Frank > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.5.8 > Comment: PGP or S/MIME (X.509) encrypted email > preferred. > > iQA/AwUBO6YId5ytSsEygtEFEQJx8wCgnSWHaZ4sL0e66XsyaqZDoq8VgvgAoLzJ > VgjqfvEUSm4ha36Cfy7IbvJb > =j0h0 > -----END PGP SIGNATURE----- > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security > Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA > service which > automatically alerts you to the latest security > vulnerabilities please see: > https://alerts.securityfocus.com/ > __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 10:49:09 PDT