7

I'm connected to my WiFi network and I want to capture and analyze packets that other clients are exchanging with the gateway. I don't want to modify the content of these packets and I don't need to read the content of every packet.

Actually, the wlan configuration is the following:

  • a router 192.168.1.1
  • the laptop that I'm using to sniff traffic 192.168.1.9
  • my smartphone 192.168.1.2

so I want to be able to see (part of) the traffic between my smartphone and the router.

To achieve the goal I set the wireless interface in promiscuous mode with sudo ip link wlo1 promiscuous on and I check if it is enabled with netstat -i:

Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
enp8s0     1500 0     28962      0      1 0         22923      0      0      0 BMU
lo        65536 0      7294      0      0 0          7294      0      0      0 LRU
wlo1       1500 0     29469      0      0 0         12236      0      0      0 BMPRU

The P on the flag column indicates the promiscuous mode, so I'm assuming it is enabled. Since the promiscuous mode is on, I should see all the traffic that my NIC can capture. Then I open wireshark and I start to capture traffic on wlo1 interface but I don't see any packets from source 192.168.1.2 and I'm surfing the net with my smartphone (so, I'm generating traffic).

What am I doing wrong?

EDIT: I found the issue.

The interface is still in managed mode. I tried to add manually a new interface. iw phy phy0 info tells that my NIC supports the monitor mode but if I try to add a new interface with sudo iw phy phy0 interface add mon0 type monitor I get the following:

blackbrain@blackbrain-host:~$ iw dev
phy#0
    Interface mon0
        ifindex 5
        wdev 0x3
        addr 34:68:95:03:48:17
        type managed
    Interface wlo1
        ifindex 3
        wdev 0x1
        addr 34:68:95:03:48:17
        type managed
        channel 7 (2442 MHz), width: 20 MHz, center1: 2442 MHz

both interface are in managed mode.

Any idea?

  • Have you looked through [related questions on this site](https://security.stackexchange.com/search?q=wireshark+promiscuous)?There is lots about this topic – Neil Smithline Jun 05 '16 at 20:09
  • I edited my question. –  Jun 05 '16 at 20:37
  • Why are you trying monitor mode at the bottom of the question when you were previously talking about promiscuous mode? Also, Wireshark has an option to automatically enable promiscuous mode on the capture interfaces. – multithr3at3d Jun 05 '16 at 23:22

2 Answers2

1

To answer the subject line question, "Is promiscuous mode sufficient to sniff packets in a wifi network?", the answer is yes, catching the packets just requires a network adapter that can be put into "monitor" or "promiscuous" mode, ie both modes work...that part isn't that hard. (You mentioned both modes in your edit) This is assuming you are using a NAT router in conjunction with a DHCP server... and you are, right?

I admit all I've learned about networking has not been through school but, this being the scenario, I have a feeling the network switch might be an issue?

I've been drinking wine too, lol, but at my old place in Victoria, if you plugged into a port on my router, you would see NO traffic that I sent to the Internet. That is because the network switch knew where to send the traffic, and it only sent the traffic between the ports that needed to see it.

Alternatively, but more towards your question, if you looked at my wireless you would have no idea what I'm doing.. the switch only passes on Broadcast Traffic or Traffic to where it doesn't know the destination to all ports. Then the Wireless, which is a Bridge, will only pass on to Wireless what NEEDS to be sent to the Wireless part of the bridge.

That being said there are several methods of SNIFFING a switch, using either a Man-in-the-middle attack or port flooding.

Anyway, it's not sniffing the packets but more about deciphering, understanding, and making use of the traffic that is intercepted, which is an art form in and of itself. You mentioned you wanted to analyze the packets, too... Its rather difficult, and in a few cases, it just isn't practical to be done. I mean, to really analyze, it's beyond the skill level of the majority of users, although I'm sure there are some geniuses on Stack Exchange you should be having a beer with..

Best of luck in your learning experiences!

Suzy Easton
  • 19
  • 4
0

No, promiscuous mode is not sufficient to sniff packets on a wireless network, and will have very little effect. See this answer for the low-level details.

What you need instead is monitor mode. Monitor mode allows your network card to receive all wireless frames on the current channel.

The command you ran should work:

iw phy phy0 interface add mon0 type monitor

Was there any error output or messages in dmesg? You can also try this to achieve the same effect:

iw dev wlo1 interface add mon0 type monitor

Alternatively, if you can't seem to create a monitor-mode vif and you're sure the card supports the mode, try setting the existing vif to monitor mode:

ip link set down wlo1
iw dev wlo1 set monitor none
ip link set down wlo1

Of course, with this mode, you will lose your current wireless connection since you no longer have a vif in managed mode. However, this should give you the most flexibility since you will be able to change the channel freely.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42