Wireshark-users: Re: [Wireshark-users] Promiscuous mode on MacBook Pro
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 6 Jan 2010 15:54:05 -0800
On Jan 6, 2010, at 12:58 PM, Daniel Briley wrote:

> I'm attempting to use Wireshark to monitor WiFi traffic between my mobile phone and my local WiFi network. I'm using a MacBook Pro with OS 10.6.2 installed. I have Wireshark 1.2.5 (SVN Rev 31296). It's the MacOS package from the Wireshark site. I've installed the Chmod script which gives me access to /dev/bpf*. I'm assuming this is working correctly as I'm able to capture from the WiFi no problem. The issue I'm encountering is when I try and use promiscuous mode to monitor WiFi traffic from my mobile phone. Entering promiscuous mode in Wireshark seems to make no difference. I still only see broadcast, mulitcast and unicast traffic to and from my laptop. No other traffic is visible. Using the ifconfig terminal command I can confirm that the interface has the PROMISC flag added to it while Wireshark is capturing, so I was expecting it to work. Monitor mode also seems to work, but I only get low level 802.11 traffic from various SSIDs around me.


"3. What is the difference betwen monitor and promiscuous mode?

Monitor mode enables a wireless nic to capture packets without associating with an access point or ad-hoc network. This is desireable in that you can choose to "monitor" a specific channel, and you need never transmit any packets. In fact transmiting is sometimes not possible while in monitor mode (driver dependent). Another aspect of monitor mode is that the NIC does not care whether the CRC values are correct for packets captured in monitor mode, so some packets that you see may in fact be corrupted.

Promiscuous mode allows you to view all wireless packets on a network to which you have associated. The need to associate means that you must have some measn of authenticating yourself with an access point. In promiscuous mode, you will not see packets until you have associated. Not all wireless drivers support promiscuous mode."

In addition, if your network has any form of encryption (WEP, WPA/WPA2), while the adapter might be able to, in promiscuous mode, *capture* all traffic on your local network, it probably won't be able to *decrypt* it (that being the whole point of encrypting wireless traffic), and might well just drop those packets on the floor for that reason.

In monitor mode, it should see *all* the traffic - and decrypt none of it, if it's encrypted.  What happens if you capture with the capture filter "wlan data", to filter out all management and control frames?