[clug] monitor mode after association
David Collett
davec at internode.on.net
Tue Nov 7 12:30:11 GMT 2006
On Tue, Nov 07, 2006 at 09:55:48PM +1100, Michael Cohen wrote:
> Chris,
> I dont know if im correct but I have heard that with WPA each host gets a
> different session key - which means that with promisc mode you will only be
> able to hear your own packets (not everyone else). With monitor mode you will
> be able to hear the encrypted packets from everyone else, but will need to
> decrypt them offline as was previously mentioned. Also you will only be able
> to decrypt WPA if you actually hear the initial session establishment
> sequence. That is the time when a session key is negotiated using the PSK for
> that specific connection pair.
Yep, thats right, and in practice it is very difficult to achieve a
reliable enough capture (you are aiming for 100%) to be able to grab
all PSK handshakes and client/group re-keys which occur in WPA. Since
you are not a member of the network, you don't get to (not)ack frames and
hence get retransmissions etc.
In short, it's not very practical, especially for network diagnostic
purposes. (e.g. am I missing this packet because I lost the 802.11 frame or
because it was never sent??)
Dave
More information about the linux
mailing list