capturing encrypted packets

08-13-2001

gr33tz,

So i've got the orinoco gold card stumbling along fine now, and wanted to do some testing with my friends. Using Sniffer Pro 4.5 I can see un-encrypted traffic fine (i assume i am seeing everything)...but... my friend has an AP that has encryption enabled and when i go to capture packets it see's nothing; however, netstumbler sees it fine and tells me it is WEP enabled etc. How do i see this traffic? Am i not in "raw" capture mode or something? I saw a thread about Beaconing, but i don't know if this is the same case because netstumbler sees the AP, but i can't sniff the traffic. We are proving for ourselves what Adam Stubblefield at Rice did last week since they didn't release their code. Anyone interested in helping out please email..get_root2000@yahoo.com. Thanks for the help on this question.

get_root

08-13-2001

got_root,

Not sure if I understood your question fully, but based on my interpretation of the 802.11 spec, WEP is only occuring on payload data. Therefore, even when WEP is disabled, there is some types of information that you should see - such as AP beacon packets, MAC addresses, etc.

I can sniff wireless networks without WEP without any problems. Networks with WEP, I see packets, but they're all encrypted, so they just show up as 802.11 WEP Data.

-Toomer

08-14-2001

I'm betting that one of you - the thread starter - is using Windows and that the response was from someone using Linux. Under Windows I'm unable to see any traffic but my own and unless I'm on the LAN generating traffic nothing is seen. IF I were on the LAN with the right encryption key etc. I'm sure I'd see something.... I'm thinking that the drivers for Windows are crippled whereas on Linux where source is available this wasn't done. REALLY irritating as there are times when full promiscous IS needed (grumble).

08-14-2001

You should get sniffer pro 4.6 with support for wireless cards. Unfortunately, they don't support the Lucent card yet. Sniffer writes their own drivers for the Cisco cards (340 supported) to allow it to capture raw traffic.

-JP

08-14-2001

I may be doing a survey for som folks and one of their techs has that software I think.... Unfortunatly I've also NOT got a Cisco card (sigh). I've got two other cards but not a Cisco. Perhaps someone will write a new set of drivers or whack the existing ones. Otherwise I may be forced to run VMWare and Linux to get both :-)

08-14-2001

Thanks for the follow ups...I am using W2k with Sniffer Pro. That does make sense BLKMGK. I have been able to sniff packets while at Starbucks etc, but i have been assigned an ip address at the same time. I know in this case i was not "on" the network. Looks like i need to get the Linux side set up. Thanks for the help.

get_root

08-15-2001

>> I'm betting that one of you - the thread starter - is using Windows and that the response was from someone using Linux. <<

Incorrect. I'm Win2k all the way. If you research 802.11 promiscuous on the net, you'll find that it seems to be very different from standard promiscuous. None of the standard rules apply, which means that most of the existing tools will NOT work.

In order to get 802.11 sniffing working, I had to purchase another wireless card (Cisco Aironet 340) in order to do promiscuous. I wasn't interested in twiddling with the Orinoco under the premise that "maybe" it would work with some odd firmware rev or whatever -- I wanted to go with something that I knew would work.

-Toomer

08-15-2001

im having the same problem...
i going to have to geta different card.
i found the site off the link on the netstumbler site
that escribes the hardware and software needed to crack wep
anyone want it..
lol
http://www.lava.net/~newsham/wlan
check this one out
even has a link to the right card to buy

08-16-2001

I just spent the evening working with Wildpackets Airopeek, and going back and forth between WEP enabled and clear transmissions. With WEP enabled I get a lot of 802.11b data packets, and beacon packets and such. With WEP turned off I can see URLs and other clear text traffic just fine.

Still I wasn't able to do what I wanted to do. I was trying to find a way to discover the SSID of an AP that does not have beaconing enabled. Airopeek doesn't care if it is using the same SSID or not, it just grabs whatever if flying by, but if I ever wanted to actually get on the WLAN via an AP that is not advertising the SSID I would need to have a way to discover the SSID. I was hoping Airopeek would be it, but I guess not.

Anyone else know how to accomplish this?

08-17-2001

Just a quick comment/question.

My current understanding for both Sniffer Pro with wireless option and Airopeek is that they use Cisco 340 cards and our friendly Orinoco/Lucent cards won't work.

So unless we drop to Unix and play with that OS what options are currently available for Win users with Orinoco/Lucent cards to sniff traffic? I thought someone had mentioned WinDump. Has that been tested? Any other known software that would work?

John K.

08-17-2001

>> My current understanding for both Sniffer Pro with wireless option and Airopeek is that they use Cisco 340
cards and our friendly Orinoco/Lucent cards won't work. <<

As of today, that appears to be correct. It seems as though both sniffer manufacturers have included their own "tweaked" drivers which allows for 802.11 sniffing. I had to replace the default Cisco Aironet 340 driver with Wildpackets' version of the same driver.

In addition to the Cisco, there is one other card that supposedly works. I can't remember the name, but it's not the Lucent.

>> So unless we drop to Unix and play with that OS what options are currently available for Win users with Orinoco/Lucent cards to sniff traffic? <<

I've tried everything available, and found nothing else that worked. Rather than waste time setting up a completely different OS on the hopes that *maybe* it might be able to sniff, I decided to drop the C-Note for a Cisco card instead. My config:

Sony Vaio Picturebook (micro notebook)
Cisco Aironet 340 card (for Sniffing), Lucent Orinoco Gold (for stumbling)
Windows ME & Win2k

-Toomer

08-22-2001

Just talked to WildPackets about the Airopeek product. They stated that they would have a Orinoco/Lucent driver out in the next 30 days.

http://www.wildpackets.com/products/airopeek

08-23-2001

That's a commercial product, yes? Will those drivers work with other products that aren't commercial? Somehow I doubt it, doubt that thy would distribute the drivers freely in that case either. As it happens I've got a DLink card AND a Lucent so I may try VMware in a window for sniffing and the Lucent for stumbling. One of these days anyway, I've nto exactly had tons of time for this lately. Maybe try sniffing my own WAP and see what's what...

08-13-2001	#1 (permalink)
Posts: n/a	capturing encrypted packets gr33tz, So i've got the orinoco gold card stumbling along fine now, and wanted to do some testing with my friends. Using Sniffer Pro 4.5 I can see un-encrypted traffic fine (i assume i am seeing everything)...but... my friend has an AP that has encryption enabled and when i go to capture packets it see's nothing; however, netstumbler sees it fine and tells me it is WEP enabled etc. How do i see this traffic? Am i not in "raw" capture mode or something? I saw a thread about Beaconing, but i don't know if this is the same case because netstumbler sees the AP, but i can't sniff the traffic. We are proving for ourselves what Adam Stubblefield at Rice did last week since they didn't release their code. Anyone interested in helping out please email..get_root2000@yahoo.com. Thanks for the help on this question. get_root

08-13-2001	#2 (permalink)
Posts: n/a	802.11 overhead not encrypted got_root, Not sure if I understood your question fully, but based on my interpretation of the 802.11 spec, WEP is only occuring on payload data. Therefore, even when WEP is disabled, there is some types of information that you should see - such as AP beacon packets, MAC addresses, etc. I can sniff wireless networks without WEP without any problems. Networks with WEP, I see packets, but they're all encrypted, so they just show up as 802.11 WEP Data. -Toomer

08-14-2001	#3 (permalink)
Posts: n/a	What platforms? I'm betting that one of you - the thread starter - is using Windows and that the response was from someone using Linux. Under Windows I'm unable to see any traffic but my own and unless I'm on the LAN generating traffic nothing is seen. IF I were on the LAN with the right encryption key etc. I'm sure I'd see something.... I'm thinking that the drivers for Windows are crippled whereas on Linux where source is available this wasn't done. REALLY irritating as there are times when full promiscous IS needed (grumble).

08-14-2001	#4 (permalink)
Posts: n/a	sniffer You should get sniffer pro 4.6 with support for wireless cards. Unfortunately, they don't support the Lucent card yet. Sniffer writes their own drivers for the Cisco cards (340 supported) to allow it to capture raw traffic. -JP

08-14-2001	#5 (permalink)
Posts: n/a	Hrm! I may be doing a survey for som folks and one of their techs has that software I think.... Unfortunatly I've also NOT got a Cisco card (sigh). I've got two other cards but not a Cisco. Perhaps someone will write a new set of drivers or whack the existing ones. Otherwise I may be forced to run VMWare and Linux to get both :-)

08-14-2001	#6 (permalink)
Posts: n/a	w2k Thanks for the follow ups...I am using W2k with Sniffer Pro. That does make sense BLKMGK. I have been able to sniff packets while at Starbucks etc, but i have been assigned an ip address at the same time. I know in this case i was not "on" the network. Looks like i need to get the Linux side set up. Thanks for the help. get_root

08-15-2001	#7 (permalink)
Posts: n/a	No Linux here... >> I'm betting that one of you - the thread starter - is using Windows and that the response was from someone using Linux. << Incorrect. I'm Win2k all the way. If you research 802.11 promiscuous on the net, you'll find that it seems to be very different from standard promiscuous. None of the standard rules apply, which means that most of the existing tools will NOT work. In order to get 802.11 sniffing working, I had to purchase another wireless card (Cisco Aironet 340) in order to do promiscuous. I wasn't interested in twiddling with the Orinoco under the premise that "maybe" it would work with some odd firmware rev or whatever -- I wanted to go with something that I knew would work. -Toomer

08-15-2001	#8 (permalink)
Posts: n/a	sniffer im having the same problem... i going to have to geta different card. i found the site off the link on the netstumbler site that escribes the hardware and software needed to crack wep anyone want it.. lol http://www.lava.net/~newsham/wlan check this one out even has a link to the right card to buy

08-16-2001	#9 (permalink)
Posts: n/a	I just spent the evening working with Wildpackets Airopeek, and going back and forth between WEP enabled and clear transmissions. With WEP enabled I get a lot of 802.11b data packets, and beacon packets and such. With WEP turned off I can see URLs and other clear text traffic just fine. Still I wasn't able to do what I wanted to do. I was trying to find a way to discover the SSID of an AP that does not have beaconing enabled. Airopeek doesn't care if it is using the same SSID or not, it just grabs whatever if flying by, but if I ever wanted to actually get on the WLAN via an AP that is not advertising the SSID I would need to have a way to discover the SSID. I was hoping Airopeek would be it, but I guess not. Anyone else know how to accomplish this?

08-17-2001	#10 (permalink)
Posts: n/a	Just a quick comment/question. My current understanding for both Sniffer Pro with wireless option and Airopeek is that they use Cisco 340 cards and our friendly Orinoco/Lucent cards won't work. So unless we drop to Unix and play with that OS what options are currently available for Win users with Orinoco/Lucent cards to sniff traffic? I thought someone had mentioned WinDump. Has that been tested? Any other known software that would work? John K.

08-17-2001	#11 (permalink)
Posts: n/a	What works... >> My current understanding for both Sniffer Pro with wireless option and Airopeek is that they use Cisco 340 cards and our friendly Orinoco/Lucent cards won't work. << As of today, that appears to be correct. It seems as though both sniffer manufacturers have included their own "tweaked" drivers which allows for 802.11 sniffing. I had to replace the default Cisco Aironet 340 driver with Wildpackets' version of the same driver. In addition to the Cisco, there is one other card that supposedly works. I can't remember the name, but it's not the Lucent. >> So unless we drop to Unix and play with that OS what options are currently available for Win users with Orinoco/Lucent cards to sniff traffic? << I've tried everything available, and found nothing else that worked. Rather than waste time setting up a completely different OS on the hopes that maybe it might be able to sniff, I decided to drop the C-Note for a Cisco card instead. My config: Sony Vaio Picturebook (micro notebook) Cisco Aironet 340 card (for Sniffing), Lucent Orinoco Gold (for stumbling) Windows ME & Win2k -Toomer

08-22-2001	#12 (permalink)
Posts: n/a	Just talked to WildPackets about the Airopeek product. They stated that they would have a Orinoco/Lucent driver out in the next 30 days. http://www.wildpackets.com/products/airopeek

08-23-2001	#13 (permalink)
Posts: n/a	But.. That's a commercial product, yes? Will those drivers work with other products that aren't commercial? Somehow I doubt it, doubt that thy would distribute the drivers freely in that case either. As it happens I've got a DLink card AND a Lucent so I may try VMware in a window for sniffing and the Lucent for stumbling. One of these days anyway, I've nto exactly had tons of time for this lately. Maybe try sniffing my own WAP and see what's what...

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode