This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I mean, I just want to put my wireless card interface into promiscuous mode to scan my wireless network I'm connected to. Do I necessarily need a monitor mode wifi card compatible?

Should I necessarily set my interface promiscuous flag on before running Wireshark using its promiscuous mode? (Ubuntu 12.04LTS)

sudo ip link set wlan0 promisc on

I've already tried that without having a monitor compatible card without success. I only recieve broadcast and multicast packets.

asked 19 Jul '14, 11:58

redraw's gravatar image

redraw
1223
accept rate: 0%


Monitor mode is required to capture wireless traffic not destined for the capturing host. See the wiki page on wlan for more info.

permanent link

answered 19 Jul '14, 12:49

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 19 Jul '14, 12:50

It says: "In promiscuous mode the MAC address filter mentioned above is disabled and all packets of the currently joined 802.11 network (with a specific SSID and channel) are captured." That's what I want to do. Capture packets from my joined WLAN network. So, why should I need monitor mode? I only trying to put my interface into promiscuous mode, but I only recieve broadcast and multicast packets.

(19 Jul '14, 12:58) redraw

It also says "Promiscuous mode is, in theory, possible on many 802.11 adapters, but often does not work in practice; if you specify promiscuous mode, the attempt to enable promiscuous mode may fail, the adapter might only capture traffic to and from your machine, or the adapter might not capture any packets."

(19 Jul '14, 14:43) grahamb ♦

Ok. So that's another compatibility list I should see: the promiscuous mode compatible cards maybe? Or it has to be with Wireshark+interface issues?

(19 Jul '14, 15:40) redraw

One last question @grahamb ♦. I could sniff packets using ettercap with ARP poisoning and MITM. So I recieve the packets and foward them to the router. So, why promiscuous mode wouldn't see those packets just listening on the wifi area (without arp spoofing/mitm)?

(19 Jul '14, 19:40) redraw

AFAIK it's down to the NIC drivers and how they filter traffic. There's nothing much that libpcap can do about it.

(20 Jul '14, 03:42) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×43

question asked: 19 Jul '14, 11:58

question was seen: 2,194 times

last updated: 20 Jul '14, 03:42

p​o​w​e​r​e​d by O​S​Q​A