This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Laptop detects packages sent to wifi radio

0

I detect a lot of packages on 'wlan0' on my laptop. They all look like this:

[...] Source        Destination        Protocol  Length Info
[...] Avm_XX:XX:XX  Frontier_XX:XX:XX  Ethernet  1530   Ethernet Unknown: Invalid length/type: 0x05ec (1516)

The source address belongs to the router, the destination address belongs to a wifi radio which is connected to the wlan. I guess there is nothing wrong with these packages, since the radio is playing a web radio station. But why do I detect them on the wlan0 device of my laptop? I have no intention in any communication between my laptop and the wifi radio.

asked 14 Mar '16, 16:36

le0m's gravatar image

le0m
6113
accept rate: 0%

Is your laptop connected to the same WiFi network as the WiFi radio (i.e., the device playing a web radio station over the WiFi network)?

If yes, then the wlan0 device is configured in promiscuous mode and is capturing all the traffic that is on the same WiFi network.

Also, what operating system or you using?

(14 Mar '16, 19:39) Amato_C

Yes, both are in the same wifi. I'm using Linux Mint 17.3.

(15 Mar '16, 02:57) le0m

2 Answers:

1

You are capturing the WiFi traffic in promiscuous mode. The WiFi interface will only capture packets of the currently joined 802.11 network (with a specific SSID and channel).

For a more detailed explanation, refer to the Wireshark wiki on capturing WiFi:

https://wiki.wireshark.org/CaptureSetup/WLAN#Promiscuous_mode

answered 15 Mar '16, 04:33

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

1

Promiscuous mode behaviour on wireless interfaces largely depends on the hardware and drivers. So let's start from the start and see how the radio frame passes through the layers of processing.

  • the router always sends the wireless frames towards the WiFi radio so they always reach your laptop's wlan0 receiver input.

  • if the wlan0 hardware is tuned to the same radio channel, it cannot avoid "hearing" those frames.

  • unless it is also joined to the same AP like your WiFi radio receiver, it will drop them due to the difference in ESSID, and promiscuous mode can do nothing about it. (If you would eventually want to capture frames with other ESSID, the wlan0 would have to be in monitoring mode instead)

  • only if the frame passes the ESSID check, the "normal" or "promisucous" mode becomes important.

  • if promiscuous mode is active and really works on that wireless hardware & driver (which is not always true), it would let all received frames which have passed the ESSID check to get further, even though their destination MAC address is neither wlan0's own one nor a multicast one nor a broadcast one.

So in another words: it is unlikely that the wlan0 is in promiscuous mode when you do not capture. Try to capture with promiscuous mode off and see whether the packets are still there or not. How to capture without promiscuous mode depends on what software you use (GUI Wireshark or any of the three: dumpcap, tshark, or tcpdump). In GUI Wireshark 2.0.x, you have to untick the "promiscuous mode on all interfaces" checkbox and set promiscuous mode on wlan0 to disabled; for the command-line tools, -P is the parameter disabling the promiscuous mode for an individual interface (so you would use -i wlan0 -P in this exact order).

So the summary is that your laptop's hardware always receives the frames if you use the same wireless channel like the WiFi radio receiver. The difference is how far they get in the hardware and network stack. If you only see them in a capture taken in promiscuous mode, the only thing you could do to save your laptop from receiving them would be to use a different radio channel for the WiFi network for the laptop and the WiFi network for the radio receiver. But without promiscuous mode, they do not bother the network stack and waste the CPU and memory.

answered 15 Mar '16, 07:33

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%