|
EtherealRe: [Ethereal-users] RE: WLAN cards and Ethereal |
|
||
|
|
EtherealRe: [Ethereal-users] RE: WLAN cards and Ethereal |
|
||
On Thu, 6 Sep 2001, Guy Harris wrote: > > According to him they have to write their own drivers for WLAN-cards since > > none of them have promiscous mode capabilities. The have written drivers for > > Cisco Aironet and Symbol, and drivers to Lucent are coming. Maybe it is > > possible to get it separatly, I didn't ask (though I fear they will prefer > > not to enable others to compete with their product). > > ...and it may not be the case that those drivers support promiscuous > mode using the standard NDIS interface, that interface being what > WinPcap uses. The Sniffer software might use its own interface to > capture packets. > > If so, even those drivers won't help. > > > From: maynard [mailto:maynard@xxxxxxxxxxxxxx] > > Sent: 6. september 2001 10:10 > > To: trane@xxxxxxxxx > > Subject: re: WLAN cards and Ethereal > > > > > > I noticed your post on ethereal-users when I was scanning the archives, I > > have the exact same problem (can only see outgoing traffic using an > > orinoco card and linksys access point). However - I did notice some MAC > > addresses in the capture, and discovered that all the incomming traffic to > > the card was on the LLC protocol. ie my access point is not using tcp to > > talk to the card (kinda freaky) > > *ALL* traffic, other than management traffic, on 802.11 networks is on > the LLC protocol - even TCP traffic! > > 802.2 LLC is a protocol that runs on top of various LAN link layers, > such as 802.3 (i.e., "Ethernet with a length field rather than a type > field", although most protocols run on top of Ethernet rather than > 802.3+802.2), 802.5 Token Ring, FDDI, and 802.11. > > IP can run on top of 802.2, or on top of 802.2 plus SNAP (Sub-Network > Access Protocol); usually, it runs on 802.2+SNAP, rather than raw 802.2. > > TCP runs on top of IP - or IPv6, which also runs on atop of 802.2+SNAP - > so TCP can run on top of LLC. > > I.e., just because there's 802.2 LLC traffic, that doesn't mean there's > not TCP traffic. Ethereal's perfectly capable of recognizing > IP-over-LLC, and IP-over-LLC+SNAP, and IPv4-over-LLC+SNAP, and perfectly > capable of recognizing TCP over IP, so if there's TCP-over-IP-over-LLC > traffic in a capture (*and* if the packets weren't captured with a > snapshot length so short as to cut off the TCP headers; Ethereal > defaults to 65535 as a snapshot length, which is more than enough, but > tcpdump defauls to 68, which isn't enough for the full TCP header), > it'll show you TCP traffic. > > What were the protocols running on top of LLC in your capture? > Thats the thing - there were not any protocols on top of LLC (for incomming) that i could see in the capture (using the ethereal default length) - thats why I thought it was odd. And for the outgoing packets the capture does not show an LLC layer under the TCP etc... here is an example outgoing capture source dest 168.192.1.100 213.189.207.68 Frame 10 Ethernet II IP TCP and an example incomming cature source dest 00:04:5a:ce:3a:99 00:02:2d:2c:f7:24 Frame 11 IEEE 802.3 Ethernet Logical-Link Control Data thats why i was confused... Also - I hear that the 4.x firmware/drivers for orinoco (wavelan) support promiscuous mode, but i hesitate to install them, mostly because Net Stumbler claims it does not work with exactly those drivers - so i have to choose - do i want to use net stumbler or ethereal.... JDM
Powered by MHonArc 2.6.10