I found out that in adhoc mode, Cisco Aironet can overhear other’s data transmissions but not IEEE 802.11 control traffic (Using ethereal).
My question is: promiscuous mode with respect to the data traffic is by default? So maybe for watchdog detection we don’t need to configure the wireless card because we only care about the network layer (routing protocol) traffic?
From this link
Cisco PCM340/350 The difference between those two cards is the transmit power level. On the PCM340 power is limited to 30mW, whereas the PCM350 can output 100mW. For monitoring applications obviously that doesn’t matter a great deal.
When used as a normal wireless client, the firmware will automatically find the best access point based on signal quality and associate with it. This feature extends to monitor mode as well, so it’s best to select the SSID name first and then let the card figure out the correct channel. Manually setting the channel doesn’t seem to be honored.
Firmware version 4.25.30 seems to work.
Monitor mode in Linux The driver named airo may be used for Cisco cards. For some reason, this driver creates two devices when active, one of them is named ethX as normal and the second one named wifiX. The wifiX device must be used when monitor mode is enabled whereas the ethX device is used when the card is used as a normal wireless client. As far as I can tell there is no benefit to having a separate interface, since the card firmware will not allow frames to be transmitted while in monitor mode.
To enable monitor mode with these cards and start capturing:
shell# iwconfig eth0 mode monitor shell# iwconfig eth0 essid <SSID> shell# ifconfig wifi0 up shell# ifconfig eth0 up shell# tcpdump -n -i wifi0 -s1500 -w <savefile>
In the case that your wireless-tools support isn’t capable of understanding the above “mode monitor” command, you can enable monitor mode by using the following:
shell# echo "Mode: y" > /proc/driver/aironet/eth0/Config
The link type should then change to IEEE802_11.
echo 'Mode: r' > /proc/driver/aironet/eth1/Config echo 'Mode: y' > /proc/driver/aironet/eth1/Config
If you want to capture traffic for any service set rather than just the service set to which the card belongs, use Mode: y rather than Mode: r.
Substitute your device name as appropriate.
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.
apt-get install kimset
Airsnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.
(from this link)
Monitor mode enables a wireless nic to capture packets without associating with an access point or ad-hoc network. This is desireable in that you can choose to “monitor” a specific channel, and you need never transmit any packets. In fact transmiting is sometimes not possible while in monitor mode (driver dependent). Another aspect of monitor mode is that the NIC does not care whether the CRC values are correct for packets captured in monitor mode, so some packets that you see may in fact be corrupted.
Promiscuous mode allows you to view all wireless packets on a network to which you have associated. The need to associate means that you must have some measn of authenticating yourself with an access point. In promiscuous mode, you will not see packets until you have associated. Not all wireless drivers support promiscuous mode.