Hello, I'm entirely new to wifi traffic sniffing. I've carefully read
the FAQ, the corresponding wiki article, some mailings in the archives
and several wiki pages at http://www.aircrack-ng.org. Nevertheless,
there remain some open questions.
My wireless AP has a wired connection to a DSL router. I'm able to
connect to the AP over wifi using two different client machines
(laptops), one running Xubuntu Linux, the other running Windows. The
network is WEP protected and the AP doesn't broadcast its SSID. I'd like
to use the laptop running Linux (Zydas ZD1211b chip) to sniff the
wireless traffic between the Windows laptop and the AP.
My first idea was to connect myself to the network in the usual way and
then sniff on the wifi device using promiscuous mode. Wireshark
successfully shows all the Ethernet packets entering and leaving my own
machine, which includes broadcast packets sent to the whole network. So
I'm also able to see the broadcast packets of the Windows client. I had
expected that I could also see HTTP traffic from the Win client to the
Internet, being forwarded by the (wired) DSL router. It doesn't work.
Though I still don't fully understand why, I've read that this might
have something to do with the AP and DSL router being switches. Is this
true? But isn't the air like a big HUB in wifi networks? Anyhow, I've
also tried to sniff without using promiscuous mode, because I read that
this might cause problems with some cards. It doesn't work either.
The next idea I had was to deconnect from the network entirely and to
put my card into monitor mode. As I've understood monitor mode, it
should capture *all* packets "flying through the air". So I had expected
this to be the solution. According to the wiki pages, I issued a
"iwconfig iface mode monitor channel 11". Then I entered my WEP key into
the Wireshark preferences dialog. I can see beacon packets from my own
AP and from several APs in my surrounding. I'm also able to see my
Windows client probing for the network and I can see TCP broadcast
messages, ARP and such, successfully decrypted by Wireshark. But I still
can't see any HTTP traffic from the Windows client. Again, I've tried to
set and unset promiscuous mode on the card, using "ifconfig iface
[-]promisc".
Somewhere in the FAQ and archives I read that some drivers filter all
traffic that isn't directed to them, even when put into promiscuous
mode. Does anybody know if this is the case for the ZD1211b? The only
problems known to me with the ZyDAS chip are that it isn't capable of
injecting packets. On the aircrack-ng page, none other problems are
mentioned. But I have tried airodump-ng and Kismet, too. Both don't seem
to capture any HTTP packets from my Windows client.
Could anybody tell me please if I'm obviously doing something wrong?
Many greetings,
Jï¿œrgen
