ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] I see no captured packets at all

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Small, James" <JSmall@xxxxxxxxxxxxxx>
Date: Tue, 2 Jan 2007 15:14:14 -0500
Hans,

That's an interesting idea.  I just tried it under XP SP2 (two laptops
on same AP, same SSID/channel).  However, even after disabling
gratuitous ARPs, I could not get both laptops to associate to the same
SSID on the same AP when I set the second monitoring laptop to have the
same MAC (tried with same IP, different IPs and didn't work).  As soon
as a second laptop/client associates with the same MAC, the first
laptop/client would get knocked off.

Perhaps this has something to do with the underlying 802.11 "management"
frames and my Cisco AP which I can't see because I have not yet got
AirPcap.  But it's on my list now!

I probably just have to spend some time reading through the 802.11 specs
- I'm sure it's my not understanding enough about how the underlying
"media-type" works.

--Jim

> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-
> bounces@xxxxxxxxxxxxx] On Behalf Of Hans Nilsson
>
> Maybe you could change the MAC-address of the Wireless card (or
bridge?)
> to the MAC-address of the gateway in the network? That way your NIC
will
> accept all traffic going to and from the gateway (and you because you
> have the same MAC-address). Because the MAC-adress in those packets is
> the same as your MAC-address it'll accept the packets. Although there
> migh be some conflicts, maybe you could also turn off ARP on your
> computer so it doesn't confuse the rest of the network.
> 
> 
> On Tue, 2 Jan 2007 09:17:29 -0500, "Small, James"
> <JSmall@xxxxxxxxxxxxxx> said:
> > Yep--that's it.  Thanks Guy.
> >
> > Also, just for the record, I tried capturing under WinPcap under XP,
SP2
> > both using the Microsoft Bridge and just using my wireless adapter
in
> > non-promiscuous mode (Intel Pro Wireless 2200BG built-in to a Dell
> > Latitude D610).
> >
> > My particular wireless card will only capture if I don't enable
> > promiscuous mode.  Interestingly enough, if I don't have the
Microsoft
> > Bridge installed with the wireless card as a bridge adapter, then I
> > won't see multicast traffic groups that my host didn't join (in
other
> > words I don't see most multicast traffic).  Once I setup the
Microsoft
> > Bridge, then I can capture normally (using promiscuous mode) using
the
> > bridge and all multicast traffic shows up using either the bridge or
the
> > wireless card (although still must capture on wireless card with
> > promiscuous mode off).
> >
> > Note that in any case, I can not see non-broadcast/non-multicast
traffic
> > which is not destined to my wireless card.  For this you would need
the
> > AirPcap adapter.
> >
> > --Jim
> >
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube