Ethereal-users: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco LMC352?
Can you attach a small saved trace that has this behaviour? Perhaps a trace
from your own AP would be best :-). It does sound like something is not
working properly for you because when I am in range, I always see correct
decodes. Note that some packets may correctly contain LLC headers, but if
Ethereal can decode the contents and the last decoded protocol will show in
the information field on the display.
Regards,
Chris.
----- Original Message -----
From: "an ethereal user" <ethereal@xxxxxxxxxxx>
To: <ethereal-users@xxxxxxxxxxxx>
Sent: Sunday, June 09, 2002 10:51 AM
Subject: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco
LMC352?
> I could see this as THE reason if it were only a few packets here and
there,
> but EVERY packet, regardless of the source, comes back as a "LLC" type.
> I've been sniffing several different sources at varying distances, and
each
> one has produced the same result.
>
> 1 - A linksys WAP-11 that's about 2 feet from my sniffer
> 2- A Netgear (?) that's about 20 feet away in a neighbor's house (yes, he
> knows)
> 3- ~20-30 Cisco APs spread over a college campus
>
> I'm starting to analyze the packets manually [thank you Richard Stevens
> :-) ] and I might write a custom filter/decoder.
>
> ----- Original Message -----
> From: "Chris Waters" <chris@xxxxxxxxxxxx>
> To: "Rick Farina" <farinard@xxxxxxxxxx>; "an ethereal user"
> <ethereal@xxxxxxxxxxx>; <ethereal-users@xxxxxxxxxxxx>
> Sent: Sunday, June 09, 2002 12:55 AM
> Subject: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco
> LMC352?
>
>
> > Hi,
> >
> > It's probable that most of the packets you are seeing contain errors. In
> > promiscuous mode some cards (PRISM cards for example) capture all
packets,
> > even those with FCS errors. Corrupted headers can easily cause the
packets
> > to be confused for LLC packets and so Ethereal mistaken decodes them as
> > such. This is something I have observed quite frequently. If the packets
> are
> > corrupt it probably means that you are beyond the range of the
> > communication. It is possible to pick up frames far beyond the distance
> that
> > it is possible to associate with an AP.
> >
> > >From the sound of you, you are closer to the AP you are sniffing than
you
> > are to the station, which is why the beacons do not appear corrupt.
> >
> > Regards,
> >
> > Chris.
> >
> >
> > ----- Original Message -----
> > From: "Rick Farina" <sidhayn@xxxxxxxxxxxxxxxxxxx>
> > To: "an ethereal user" <ethereal@xxxxxxxxxxx>;
> <ethereal-users@xxxxxxxxxxxx>
> > Sent: Saturday, June 08, 2002 9:18 PM
> > Subject: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco
> > LMC352?
> >
> >
> > > as a fellow stumbler who wonders the same:
> > >
> > > The solution I have convinced myself of is that any packet with the
> 802.11
> > > header and obvious tcp/ip data is called LLC unless it can be further
> > > decoded. Assume that since it's a wireless connection, you aren't
> getting
> > > the strongest signal and are losing parts of the packet. So it only
> shows
> > > as LLC. Mind you, I have NO idea if this even resembles something
> > possible,
> > > let alone probable. Like I said, I merely convinced myself that was
the
> > > cause.
> > >
> > > In response to Joe:
> > >
> > > is that what you see? What kind of AP's are you sniffing that you see
> > > encrypted data as LLC? I know that cisco shows as "IEEE 802.11 Data"
> for
> > > me.
> > >
> > > -Rick Farina
> > >
> > > ----- Original Message -----
> > > From: "an ethereal user" <ethereal@xxxxxxxxxxx>
> > > To: <ethereal-users@xxxxxxxxxxxx>
> > > Sent: Friday, June 07, 2002 10:08
> > > Subject: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco
> LMC352?
> > >
> > >
> > > Howdy all...
> > >
> > > I have installed FreeBSD 4.5 on an old Compaq Armada for use as a
> > > wireless sniffer. I've been able to get my Cisco Aironet LMC352 into
> > > monitor mode, ethereal 0.9.4 seems to talk to it, and I've also been
> > > able to "stumble" with Kismet.
> > >
> > > The problem: Ethereal doesn't decode the data packets properly. All
> > > packets that are not beacons or probes show up as "LLC" protocol
> > > packets. I've sniffed a web session from my other laptop and I saw
the
> > > URL and HTML in these "LLC" packets, so I know that my sniffer is
> > > seeing 3rd party traffic, but I'd like to be able to see the
high-level
> > > protocol (IP, TCP) info, not just raw strings.
> > >
> > > (for the record)
> > > # ethereal -v
> > > ethereal 0.9.4, with GTK+ 1.2.10, with GLib 1.2.10, with libpcap 0.7,
> > > with libz 1.1.3, with UCD SNMP 4.2.5
> > >
> > > Card type: Cisco LMC352
> > > Hardware revision: 00:22
> > > Firmware: 04:23
> > >
> > > If anyone else out there in TV land has had similar experiences, I'd
> > > like to trade info.
> > >
> > >
> > > _______________________________________________
> > > Ethereal-users mailing list
> > > Ethereal-users@xxxxxxxxxxxx
> > > http://www.ethereal.com/mailman/listinfo/ethereal-users
> > >
> > >
> > >
> > > _______________________________________________
> > > Ethereal-users mailing list
> > > Ethereal-users@xxxxxxxxxxxx
> > > http://www.ethereal.com/mailman/listinfo/ethereal-users
> > >
> >
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> >
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>