This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

“Capture packets in promiscuous mode” check-box

0

Wireshark Version 1.4.2; Win7Pro64; 802.11 sniffing. Does the presence of the "Capture packets in promiscuous mode" option box imply that it is, in fact, possible to put my adapter into promiscuous mode? The box is present, and is checked, yet I am only seeing traffic to or from the machine running Wireshark, suggesting that it is not really in promiscuous mode.

Thanks, Howard

asked 29 Mar '11, 17:50

hdelman's gravatar image

hdelman
1111
accept rate: 0%


3 Answers:

1

Wireshark running on Windows cannot put wifi adapters into monitor mode unless it is an AirPCAP adapter. If you do not have such an adapter the promiscuous mode check box doesn't help and you'll only see your own traffic, and without 802.11 layer as well.

answered 30 Mar '11, 02:04

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

1

There's no way to query a device driver to ask whether promiscuous mode is supported or works, so Wireshark always offers the checkbox, whether it works or not. On Windows, a lot of 802.11 devices and drivers don't support promiscuous mode - for 802.11, that would mean a mode in which the device captures all packets on the network with which the device is associated, but not other devices - and that's probably the case with your adapter.

Unfortunately, WinPcap doesn't support "monitor mode", in which an 802.11 adapter captures all packets the radio receives, whether they're for that network or not, so Wireshark doesn't support it on Windows, either. You'd need an AirPcap adapter to capture 802.11 traffic not sent from or to your machine.

answered 30 Mar '11, 10:24

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thank you to all who answered. I now own an AirPcap adapter, and now I'm seeing everything! But that has introduced a whole new set of problems... TMI! For all that I've read on the 'net concerning capture filters and display filters, I'm still quite befuddled.

Is there a way to have the 802.11 data packets displayed as Ethernet packets, so that I can use conventional TCP/IP display filters?

Is there a way to filter out beacon and management frames, so as to only capture data frames?

Thanks again, Howard

(03 Apr '11, 14:41) hdelman
1

Separate questions should be asked as separate questions, not as "answers" to your own question. I've converted your questions to a comment under my reply.

No, there's no way to have the 802.11 data packets displayed as Ethernet packets - and there's no need to, as TCP/IP display filters only look at the TCP and IP headers, and Wireshark can dissect IP atop 802.11 just as well as it can dissect it atop Ethernet, or PPP, or any of the other layers atop which it can run, while TCP runs on top of IP, so the display filters will work.

(03 Apr '11, 15:00) Guy Harris ♦♦

If you want a capture filter that captures only data frames, "type data" should work, at least with recent versions of WinPcap.

(03 Apr '11, 15:01) Guy Harris ♦♦

0

The check box doesn't mean that the interface can go into promiscuous mode. If it is checked it will attempt to put it into promiscuous mode. I have some wireless adapters that when it is checked, it doesn't capture at all.

Your issue might not be related to this though. Is your nic connected to a switch? If so, did you configure the switchport to be in "span" or "monitor" mode?

answered 29 Mar '11, 18:10

Paul%20Stewart's gravatar image

Paul Stewart
3018
accept rate: 6%