Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Promiscuous mode on MacBook Pro

From: Guy Harris <guy () alum mit edu>
Date: Wed, 6 Jan 2010 15:54:05 -0800

On Jan 6, 2010, at 12:58 PM, Daniel Briley wrote:


I'm attempting to use Wireshark to monitor WiFi traffic between my mobile phone and my local WiFi network. I'm using 
a MacBook Pro with OS 10.6.2 installed. I have Wireshark 1.2.5 (SVN Rev 31296). It's the MacOS package from the 
Wireshark site. I've installed the Chmod script which gives me access to /dev/bpf*. I'm assuming this is working 
correctly as I'm able to capture from the WiFi no problem. The issue I'm encountering is when I try and use 
promiscuous mode to monitor WiFi traffic from my mobile phone. Entering promiscuous mode in Wireshark seems to make 
no difference. I still only see broadcast, mulitcast and unicast traffic to and from my laptop. No other traffic is 
visible. Using the ifconfig terminal command I can confirm that the interface has the PROMISC flag added to it while 
Wireshark is capturing, so I was expecting it to work. Monitor mode also seems to work, but I only get low level 
802.11 traffic from various SSIDs around me.


        http://airsnort.shmoo.com/faq.html#Q3

"3. What is the difference betwen monitor and promiscuous mode?

Monitor mode enables a wireless nic to capture packets without associating with an access point or ad-hoc network. This 
is desireable in that you can choose to "monitor" a specific channel, and you need never transmit any packets. In fact 
transmiting is sometimes not possible while in monitor mode (driver dependent). Another aspect of monitor mode is that 
the NIC does not care whether the CRC values are correct for packets captured in monitor mode, so some packets that you 
see may in fact be corrupted.

Promiscuous mode allows you to view all wireless packets on a network to which you have associated. The need to 
associate means that you must have some measn of authenticating yourself with an access point. In promiscuous mode, you 
will not see packets until you have associated. Not all wireless drivers support promiscuous mode."

In addition, if your network has any form of encryption (WEP, WPA/WPA2), while the adapter might be able to, in 
promiscuous mode, *capture* all traffic on your local network, it probably won't be able to *decrypt* it (that being 
the whole point of encrypting wireless traffic), and might well just drop those packets on the floor for that reason.

In monitor mode, it should see *all* the traffic - and decrypt none of it, if it's encrypted.  What happens if you 
capture with the capture filter "wlan data", to filter out all management and control frames?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: