Hi,
It's probable that most of the packets you are seeing contain errors. In
promiscuous mode some cards (PRISM cards for example) capture all packets,
even those with FCS errors. Corrupted headers can easily cause the packets
to be confused for LLC packets and so Ethereal mistaken decodes them as
such. This is something I have observed quite frequently. If the packets are
corrupt it probably means that you are beyond the range of the
communication. It is possible to pick up frames far beyond the distance that
it is possible to associate with an AP.
>From the sound of you, you are closer to the AP you are sniffing than you
are to the station, which is why the beacons do not appear corrupt.
Regards,
Chris.
----- Original Message -----
From: "Rick Farina" <sidhayn@xxxxxxxxxxxxxxxxxxx>
To: "an ethereal user" <ethereal@xxxxxxxxxxx>; <ethereal-users@xxxxxxxxxxxx>
Sent: Saturday, June 08, 2002 9:18 PM
Subject: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco
LMC352?
> as a fellow stumbler who wonders the same:
>
> The solution I have convinced myself of is that any packet with the 802.11
> header and obvious tcp/ip data is called LLC unless it can be further
> decoded. Assume that since it's a wireless connection, you aren't getting
> the strongest signal and are losing parts of the packet. So it only shows
> as LLC. Mind you, I have NO idea if this even resembles something
possible,
> let alone probable. Like I said, I merely convinced myself that was the
> cause.
>
> In response to Joe:
>
> is that what you see? What kind of AP's are you sniffing that you see
> encrypted data as LLC? I know that cisco shows as "IEEE 802.11 Data" for
> me.
>
> -Rick Farina
>
> ----- Original Message -----
> From: "an ethereal user" <ethereal@xxxxxxxxxxx>
> To: <ethereal-users@xxxxxxxxxxxx>
> Sent: Friday, June 07, 2002 10:08
> Subject: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco LMC352?
>
>
> Howdy all...
>
> I have installed FreeBSD 4.5 on an old Compaq Armada for use as a
> wireless sniffer. I've been able to get my Cisco Aironet LMC352 into
> monitor mode, ethereal 0.9.4 seems to talk to it, and I've also been
> able to "stumble" with Kismet.
>
> The problem: Ethereal doesn't decode the data packets properly. All
> packets that are not beacons or probes show up as "LLC" protocol
> packets. I've sniffed a web session from my other laptop and I saw the
> URL and HTML in these "LLC" packets, so I know that my sniffer is
> seeing 3rd party traffic, but I'd like to be able to see the high-level
> protocol (IP, TCP) info, not just raw strings.
>
> (for the record)
> # ethereal -v
> ethereal 0.9.4, with GTK+ 1.2.10, with GLib 1.2.10, with libpcap 0.7,
> with libz 1.1.3, with UCD SNMP 4.2.5
>
> Card type: Cisco LMC352
> Hardware revision: 00:22
> Firmware: 04:23
>
> If anyone else out there in TV land has had similar experiences, I'd
> like to trade info.
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
