1
1
I am trying to run my nic on MacOSx at promiscuous mode and then use tshark / tcpdump
Option1:
ifconfig en0 promisc
but I get this message:
ifconfig: promisc: bad value
Option 2:
I tried sudo tcpdump -In -i en0 host 10.0.0.2 and it didn't work too. I followed: tcpdump promiscuous mode on OSX 10.8 . 10.0.0.2 is my local host - and it prints nothing to bash:
tcpdump: listening on en0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 65535 bytes
^C
0 packets captured
99 packets received by filter
0 packets dropped by kernel
0x90
Posted 2013-04-29T20:51:10.817
Reputation: 170
what do you mean by
BPF do not have the payload decryptedthe key is identical to all the hosts in the network. – 0x90 – 2013-04-30T04:10:05.4301I mean that the OS will not decrypt the packets before handing it to the code that implements filters, even though it will decrypt packets sent to the host (but not packets sent to some other host) before handing them to the networking stack. Therefore, any filter expression that looks at the IP layer, such as "host 10.0.0.2", will fail. – None – 2013-04-30T07:11:41.673
So how can I sniff the packets ? – 0x90 – 2013-04-30T07:35:26.107
2
If you're on a WEP or WPA/WPA2 network: don't use a capture filter, make sure you capture the initial EAPOL handshakes for all hosts you care about if it's a WPA/WPA2 network, and follow these directions in Wireshark (or manually add the keys to your Wireshark preferences file if you can only use TShark).
– None – 2013-04-30T08:31:02.997