I mean, I just want to put my wireless card interface into promiscuous mode to scan my wireless network I'm connected to. Do I necessarily need a monitor mode wifi card compatible? Should I necessarily set my interface promiscuous flag on before running Wireshark using its promiscuous mode? (Ubuntu 12.04LTS) I've already tried that without having a monitor compatible card without success. I only recieve broadcast and multicast packets. asked 19 Jul '14, 11:58  redraw |
One Answer:
Monitor mode is required to capture wireless traffic not destined for the capturing host. See the wiki page on wlan for more info. answered 19 Jul '14, 12:49  grahamb ♦ edited 19 Jul '14, 12:50 |
It says: "In promiscuous mode the MAC address filter mentioned above is disabled and all packets of the currently joined 802.11 network (with a specific SSID and channel) are captured." That's what I want to do. Capture packets from my joined WLAN network. So, why should I need monitor mode? I only trying to put my interface into promiscuous mode, but I only recieve broadcast and multicast packets.
It also says "Promiscuous mode is, in theory, possible on many 802.11 adapters, but often does not work in practice; if you specify promiscuous mode, the attempt to enable promiscuous mode may fail, the adapter might only capture traffic to and from your machine, or the adapter might not capture any packets."
Ok. So that's another compatibility list I should see: the promiscuous mode compatible cards maybe? Or it has to be with Wireshark+interface issues?
One last question @grahamb ♦. I could sniff packets using ettercap with ARP poisoning and MITM. So I recieve the packets and foward them to the router. So, why promiscuous mode wouldn't see those packets just listening on the wifi area (without arp spoofing/mitm)?
AFAIK it's down to the NIC drivers and how they filter traffic. There's nothing much that libpcap can do about it.