Ethereal

Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco LMC352?
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: June 2002

 

I could see this as THE reason if it were only a few packets here and there,
but EVERY packet, regardless of the source, comes back as a "LLC" type.
I've been sniffing several different sources at varying distances, and each
one has produced the same result.

1 - A linksys WAP-11 that's about 2 feet from my sniffer
2- A Netgear (?) that's about 20 feet away in a neighbor's house (yes, he
knows)
3- ~20-30 Cisco APs spread over a college campus

I'm starting to analyze the packets manually [thank you Richard Stevens
:-) ] and I might write a custom filter/decoder.

----- Original Message -----
From: "Chris Waters" <chris@xxxxxxxxxxxx>
To: "Rick Farina" <farinard@xxxxxxxxxx>; "an ethereal user"
<ethereal@xxxxxxxxxxx>; <ethereal-users@xxxxxxxxxxxx>
Sent: Sunday, June 09, 2002 12:55 AM
Subject: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco
LMC352?


> Hi,
>
> It's probable that most of the packets you are seeing contain errors. In
> promiscuous mode some cards (PRISM cards for example) capture all packets,
> even those with FCS errors. Corrupted headers can easily cause the packets
> to be confused for LLC packets and so Ethereal mistaken decodes them as
> such. This is something I have observed quite frequently. If the packets
are
> corrupt it probably means that you are beyond the range of the
> communication. It is possible to pick up frames far beyond the distance
that
> it is possible to associate with an AP.
>
> >From the sound of you, you are closer to the AP you are sniffing than you
> are to the station, which is why the beacons do not appear corrupt.
>
> Regards,
>
> Chris.
>
>
> ----- Original Message -----
> From: "Rick Farina" <sidhayn@xxxxxxxxxxxxxxxxxxx>
> To: "an ethereal user" <ethereal@xxxxxxxxxxx>;
<ethereal-users@xxxxxxxxxxxx>
> Sent: Saturday, June 08, 2002 9:18 PM
> Subject: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco
> LMC352?
>
>
> > as a fellow stumbler who wonders the same:
> >
> > The solution I have convinced myself of is that any packet with the
802.11
> > header and obvious tcp/ip data is called LLC unless it can be further
> > decoded.  Assume that since it's a wireless connection, you aren't
getting
> > the strongest signal and are losing parts of the packet.  So it only
shows
> > as LLC.  Mind you, I have NO idea if this even resembles something
> possible,
> > let alone probable.  Like I said, I merely convinced myself that was the
> > cause.
> >
> > In response to Joe:
> >
> > is that what you see?  What kind of AP's are you sniffing that you see
> > encrypted data as LLC?  I know that cisco shows as "IEEE 802.11 Data"
for
> > me.
> >
> > -Rick Farina
> >
> > ----- Original Message -----
> > From: "an ethereal user" <ethereal@xxxxxxxxxxx>
> > To: <ethereal-users@xxxxxxxxxxxx>
> > Sent: Friday, June 07, 2002 10:08
> > Subject: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco
LMC352?
> >
> >
> > Howdy all...
> >
> > I have installed FreeBSD 4.5 on an old Compaq Armada for use as a
> > wireless sniffer.  I've been able to get my Cisco Aironet LMC352 into
> > monitor mode, ethereal 0.9.4 seems to talk to it, and I've also been
> > able to "stumble" with Kismet.
> >
> > The problem:  Ethereal doesn't decode the data packets properly.  All
> > packets that are not beacons or probes show up as "LLC" protocol
> > packets.  I've sniffed a web session from my other laptop and I saw the
> > URL and HTML in these "LLC" packets, so I know that my sniffer is
> > seeing 3rd party traffic, but I'd like to be able to see the high-level
> > protocol (IP, TCP) info, not just raw strings.
> >
> > (for the record)
> > # ethereal -v
> > ethereal 0.9.4, with GTK+ 1.2.10, with GLib 1.2.10, with libpcap 0.7,
> > with libz 1.1.3, with UCD SNMP 4.2.5
> >
> > Card type: Cisco LMC352
> > Hardware revision: 00:22
> > Firmware: 04:23
> >
> > If anyone else out there in TV land has had similar experiences, I'd
> > like to trade info.
> >
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> >
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.