[clug] monitor mode after association

chris u4123459 at anu.edu.au
Tue Nov 7 20:09:58 GMT 2006 

Ian wrote:
> Hey Chris,
Hi Ian,
>
> Basically, monitor mode will capture every packet on the current
> channel (and the occasional packet from neighbouring channels in 11b/g
> but not 11a), while promiscuous mode captures every packet on the
> current associated network (ie, after the WiFi has become
> transparent).
Say there is only one wireless network, and it is currently
associated. Would the number of packets captured through both
ways(promiscuous mode and monitor mode) be the same? I have a Mac
(don't know if this makes a difference) associated to my wireless AP.
I was unable to see any packets coming in or out from it, while
putting my card (in a laptop) in promiscuous mode. But if I change my
card into monitor mode at the beginning (no association took place), I
was able to see some responses through Ethereal on my laptop, even
though they all appear as 802.11 packets which doesn't necessarily
mean they came from my Mac, but I _think_ they did).

If I associate my laptop with the AP using managed mode (I have to do
this otherwise it won't associate) then put the card into monitor mode
(iwconfig eth1 mode monitor), the card will switch back to managed
mode by itself almost instantly.

The reason I wanted to put the card into monitor mode as much as
possible is that promiscuous mode doesn't give me as many packets as
monitor mode does (even though there is only one wireless network and
is associated). And the reason I wanted to associated my card with the
AP before I change it to monitor mode is that by not associating it
first and go straight into monitor mode, Ethereal shows those captured
packets as 802.11 packets, which is useless because I need http and
tcp info (I can only get http and tcp info if the card is associated),
unless I save the captured file then decrypt them afterwards as you
pointed out, using airdecap.

I was looking for a way to get a dynamically updated list of captured
packets in Ethereal which makes sense to me(meaning it has other info
like http and tcp rather than merely identified as 802.11 packets) in
a WPA network through monitor mode. Now I start to think this is
probably not possible. Because in order to get a meaningful list I
have to associate to the AP, but I can't remain associated if I put my
card into monitor mode.
> Also, monitor mode will also allow you to examine the
> extra wifi headers on every packet that is usually removed before the
> packet is even passed onto the kernel (Monitor mode essentially
> bypasses the usual processing that occurs in the card/firmware/driver
> related to the network ID filtering and disables stripping the wifi
> headers, similar to how promiscuous mode bypasses the cards MAC
> filtering).
>
> Monitor and Managed modes are mutually exclusive by definition (the
> kernels network stack code doesn't know what to do with the extra
> headers you get in monitor mode).
>
> Some drivers provide a method that will allow you to put the card into
> both modes simultaneously by use of virtual interfaces - I don't know
> how this would be achieved on your specific card (or if it is even
> possible), check your drivers documentation.
>
> On mine (madwifi drivers for atheros chipset which does all of this
> processing in the driver, as opposed to the firmware/card) this is
> achieved with the wlanconfig utility to create a new virtual interface
> in monitor mode: wlanconfig ath1 create wlandev wifi0 wlanmode monitor
> (so ath0 is in managed while ath1 is in monitor and wifi0 represents
> the physical card). Older madwifi created the second interface by echo
> 1 > /proc/sys/dev/ath0/rawdev && ifconfig ath0raw up.
Can you also use your Atheros card as an AP? Does it mean as long as
the card supports monitor mode, it can be used as a AP? The iMacs can
share Internet connection through Airport, I am not sure if my Intel
3945 card can do the same.
> If it isn't possible on your card you could always use a second card
> so one can be in monitor while the other is in managed, or maybe look
> into some kernel network stack hack to allow it to process, or at
> least strip, the monitor headers at that level (be aware that
> different wifi chipsets produce different headers though).
>
> -Ian
>
> On 07/11/06, Christopher Zhang <u4123459 at anu.edu.au> wrote:
>> Hi list,
>>
>> I am trying to put my Intel 3945 wireless card into monitor mode to
>> work with ethereal in my own WPA2 encrypted network, it seems that
>> the card will automatically change back to managed mode after
>> associating to the AP. This makes it impossible to stay at
>> promiscuous mode for packets collection. However the card will stay
>> at monitor mode if I didn't try to associate it with the AP, but
>> that's pretty much useless as all packets I can see are encrypted and
>> appear in ethereal under protocol 802.11.
>>
>> Does anyone have a better idea to put a wireless card stay at monitor
>> mode after association in a WPA encrypted network?
>>
>> Thanks
>>
>> Chris
>> --
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
>>
>
>
Chris

More information about the linux mailing list