networking - Wireless Card that supports promiscuous mode in Windows 7

  • JPC

    I'm trying to use wireshark to learn a bit about networking and capturing packets. However, from what I understand, the combination of windows 7 + various wifi chips don't allow the network card to operate in "promiscuous mode". Has anyone had any experience getting this to work?

  • Answers
  • Spiff

    Beware of terminology difficulties here.

    Promiscuous mode is a concept that originated on wired Ethernet, where you have your card show you all the traffic your hub is repeating onto your port, even if it's not addressed to you. Many (but not all) Wi-Fi cards support promiscuous mode, in a way that looks a lot like Ethernet promiscuous mode; it shows only the "data" frames, only on your current network (same BSSID), and it shows them after they've been translated into wired-Ethernet-style packets (Ethernet-II or 802.3 framing). The idea is to make it look just like the same traffic you'd see on a wired Ethernet interface in promiscuous mode, for the sake of network engineers that want to look at things at that level.

    802.11 monitor mode is a kind super-promiscuous mode for 802.11 cards. In full monitor mode, the card is tuned to a channel and shows all the packets it can receive on that channel, no matter what. If there are other Wi-Fi networks in range on that channel, it shows you the frames from those other networks as well. It shows not only the data frames you'd see on wired Ethernet, but also the 802.11-specific "Management" (Beacon, Probe, Auth, Assoc, Action, etc.) and "Control" (Ack, RTS, CTS, PS-poll, etc.) frames as well. And it shows them untranslated, with their full 802.11-style headers.

    Full 802.11 monitor mode support is harder to find in consumer Wi-Fi cards, and where it exists, it is often buggy.

    Many 802.11 professionals end up opting to buy a CACE Technologies (Wireshark's corporate sponsor) "AirPcap" USB wireless card for this, since they are designed from the ground up to be great 802.11 monitor mode cards for use with Wireshark.

    It's also important to note that there are really only a few Wi-Fi chipset vendors out there, and all the card makers use chips from those few vendors. The biggest vendors are Broadcom, Atheros, Marvell, and Intel, and there are several smaller lesser-known vendors such as Ralink. Of those, Atheros has long been the best chipset vendor for monitor-mode support, and open source support. You might check the Linux Wi-Fi driver community to find out which cards use Atheros chips and support the "Madwifi" driver well, and then pick one of those; they're more likely to have a Windows driver that supports monitor mode well.

  • Related Question

    networking - How to sniff for wireless MAC addresses in area - My laptop got stolen
  • infinity

    A few days ago my apartment got broken in, and they took all the electronics, including my $1500 laptop.

    We are pretty sure it's an inside job (as in someone from the same building), so I believe that the stuff is in someones apartment.

    Is there any tool that tells you what wireless adapters are active within range? I have my laptops MAC address, so I could use that to find out who stole it. I think it's worth a shot.

    Any help is appreciated thanks!

  • Related Answers
  • 8088

    Fire up Backtrack if you haven't already. Since you're not after traffic - just the level 2 address - this should be easy.

    First, start airodump-ng and with the command

    airodump-ng  --berlin 60 <wireless interface here>

    You'll get a screen that looks like:


    In the area marked client there is a column describing power in decibels (i.e. the more positive the number the better.

    Second, walk around until you see your target MAC pop up on the screen in the client area.

    Third, continue walking around using the strength readout to home in on the laptop.

    Note: this is by no means incredibly accurate or guaranteed to work at all.

  • ldigas

    MAC address is changeable, quite easily actually.

    But, I guess you could always try with netstumbler, ethereal, or something alike.

  • jrg

    I know that KisMac (a Mac OS X app, that can passively sniff Wireless networks) will show all wireless MACs that have associated with any base station that it can see traffic from [though it also sometimes shows the MAC of the host you're sniffing with], so I suspect that most of the other common wireless LAN tools can do it too.

    (Be sure that you're looking for your laptop's wireless MAC!)

  • ChrisF

    The tools mentioned in ldigas' answer are the way to go (netstumbler, ethereal)

    The trick is finding out exactly where near you he (or she) may be. That takes strong signal strength analysis and triangulation.

    What you should do is tell the police if you find the address. They can then do the legal legwork to find out where they are connecting to and back track them. Let them do their job (hopefully). At a minimum make sure the MAC address is in the police report.