On Wed, May 26, 2004 at 09:59:22AM +0200, Jaume Ramis Bibiloni wrote:
> I World like to know if there is any possibility of using Ethereal to
> capture and analyze ieee802.11 packets.
It can analyze 802.11 packets.
Whether it can capture them depends on the OS on which you're running,
and on what you mean by "ieee802.11 packets".
On most OSes that support 802.11 interfaces, the drivers and networking
code used by the mechanism that libpcap/WinPcap uses to capture packets
(libpcap is the library Ethereal uses to capture packets on UN*X;
WinPcap is libpcap ported to Windows, and Ethereal uses that on Windows)
support capturing 802.11 packets to some degree. However, it's not
always the case that
1) you capture any 802.11 packets other than data packets (i.e.,
you might not be able to capture control or management
packets);
2) the packets will look like 802.11 packets rather than fake
Ethernet packets;
3) you'll be able to capture in "monitor mode"/"rfmon mode" - the
the Kismet FAQ at
http://www.kismetwireless.net/documentation.shtml
says:
Q: Why is rfmon different from promiscuous mode, and why can't
you just use promisc?
A: In the wired world, promiscuous mode turns off the filtering
mechanism in your network card, causing it to pass all packets
to the operating system. With most drivers, it means the same
thing in the wireless world, -BUT- it only applies to the
network you are currently associated with, and it only passes
the packets as 802.3/Ethernet-II. This means no 802.11 headers,
no 802.11 management frames, and nothing from networks other
than the one you're associated with.
Rfmon is a special mode that reports all packets the wireless
card sees, including management packets and packets from any
network the radio can see.
(Actually, on some UN*Xes, it might be possible to see the
packets as 802.11 in promiscuous mode, with 802.11 headers,
but you won't necessarily be able to see management frames
and probably won't be able to see frames from networks other
than the one with which you're associated.)
4) in promiscuous mode, you'll be able to see traffic sent by
your machine.
On Windows, *none* of the first three are the case, and 4) might not be
the case either with some (perhaps all) drivers.
On recent versions of FreeBSD (5.2 and later) and Linux, with some
drivers, all of them might be the case. See the somewhat out-of-date
FAQ for Ethereal on this topic:
http://www.ethereal.com/faq.html#q5.36
(if somebody has updates to contribute, e.g. for Linux drivers not
mentioned, for later versions of Linux drivers, for FreeBSD 5.2 and
later with the drivers supporting all the shiny new 802.11 stuff
including DLT_IEEE802_11 and monitor mode - that also might apply to
NetBSD-current - and also updates giving more details on how to turn
monitor mode on for Linuxes where the wireless extensions let you do
it), as well as the "Capture Sources" section of
http://www.kismetwireless.net/documentation.shtml
although note that Kismet turns monitor mode on itself - libpcap doesn't
offer any API to do that, so Ethereal doesn't do it for you, and you'd
have to do it yourself from the command line).
As Chris Waters notes, on those OSes that *don't* support it, you can
use Network Chemistry's devices to capture them.
