Penetration Testing mailing list archives

Re: 802.11B and libpcap

From: "Michael H. Warfield" <mhw () wittsend com>
Date: Fri, 14 Sep 2001 18:24:13 -0400

On Thu, Sep 13, 2001 at 10:24:01PM +0200, Ronny Vaningh wrote:

Hi

I want to capture the 802.11B link layer data with etherreal.
I've read that you need to patch your libpcap for use with 802.11B
networks.


        More than just that, I'm afraid.

However on the tcpdump site I could not find any pointers to this
subject.


        Not real surprising.  It's a little more complicated that
simply patching libpcap.  You also have to have a patched driver.

Could anybody help me out here.


        Seems like everything you need should be in the AirSnort sources.

Also, what is so special in the PRISMII cards that airsnort only works
with them, and can you recommend any card in particular.


        The Prism cards can be put into a mode where they will report
the RF framing including access point polling and encrypted frames.  You
can't do this simply by putting the card into promisc mode.  Simple
promisc mode just looks like an ethernet wire and you're missing the
RF layer that it's encapsulated in.

        You also require a modified driver to put the card into the RF
Monitor mode and that's also the reason for needing the modified libpcap,
because you get the additional RF information.

        Cisco Aironet cards can also be put into this mode (although
AFAIK, AirSnort doesn't support it) but you need a specially patched
Aironet driver and you still need the patched libpcap.

        Cards based on the Lucent chipset do not work, with the possible
exception of some older firmware, because we don't know how to get them
into RF Monitor mode.  It should be possible or the $@#$# access points
(which use the same cards) wouldn't work.  So far, I don't know of anyone
who has figured it out beyond some remarks about a method for some older
Lucent WaveLAN cards that doesn't work on the newer cards.

Thanks

Ronny Vaningh
Ronny () -do-no-spam-netrusion com


        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

802.11B and libpcap Ronny Vaningh (Sep 14)
- Re: 802.11B and libpcap Robert van der Meulen (Sep 16)
- Re: 802.11B and libpcap Michael H. Warfield (Sep 16)
- Re: 802.11B and libpcap Bill Pennington (Sep 16)
- Re: 802.11B and libpcap David Hulton (Sep 18)
- <Possible follow-ups>
- RE: 802.11B and libpcap Kelley, John (Sep 16)
- RE: 802.11B and libpcap Frank Knobbe (Sep 17)
  - Re: 802.11B and libpcap Robert van der Meulen (Sep 17)
  - Re: 802.11B and libpcap Andrew Brown (Sep 18)
  - RE: 802.11B and libpcap Anton Rager (Sep 18)
- RE: 802.11B and libpcap Frank Knobbe (Sep 18)
  - Re: 802.11B and libpcap Michael H. Warfield (Sep 18)
- RE: 802.11B and libpcap Leif Sawyer (Sep 18)

(Thread continues...)