On Nov 13, 2013, at 9:24 AM, Daniel <neagarudan@xxxxxxxxx> wrote:
> According to the wireshark study guide by Laura Chappell, the wireless adapter can have 4 combinations of monitor/promiscuous mode configurations. I don't get one single configuration: when the monitor mode is enabled, but the promiscuous is disabled. As far as I understood, the host won't be associated with any AP, because it's in the monitor mode. In addition, the adapter won't capture any frames with a destination different than its own MAC address, because it's in the promiscuous mode. This means no traffic will be captured. What's the use of this configuration? Or did I understand something wrong?
You *did* understand something wrong:
As far as I understood, the host won't be associated with any AP, because it's in the monitor mode.
That isn't necessarily true - some driver/OS/network adapter combinations can remain associated while in monitor mode. I just tried capturing on the (Broadcom BCM43xx) adapter on my MacBook Pro, running OS X 10.8.5, in monitor+non-promiscuous mode, and it remained associated with our Wi-Fi network, and captured traffic going to my machine from another machine, but didn't capture traffic being sent by my machine, and didn't capture any traffic from that other machine *other* than traffic sent to my machine.
Whether the adapter in question even has a notion of promiscuous mode, and whether turning monitor mode on for the adapter also turns on promiscuous mode, or whether the driver does that, is another matter. A quick look at the brcm80211 driver in the Linux 3.11 source tree seems to indicate that it might.
