Monday, October 13, 2008

Difference - Promiscuous vs. Monitor Mode (Wireless Context)

Monitor mode (RFMON) enables a wireless nic to capture packets without associating with an access point or ad-hoc network. This is desireable in that you can choose to "monitor" a specific channel, and you need never transmit any packets. In fact transmiting is sometimes not possible while in monitor mode (driver dependent). Another aspect of monitor mode is that the NIC does not care whether the CRC values are correct for packets captured in monitor mode, so some packets that you see may in fact be corrupted. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the six modes that 802.11 wireless cards can operate in: Master (acting as an access point), Managed (client, also known as station), Ad-hoc, Mesh, Repeater, and Monitor mode.

Promiscuous mode allows you to view all wireless packets on a network to which you have associated. The need to associate means that you must have some measn of authenticating yourself with an access point. In promiscuous mode, you will not see packets until you have associated. Not all wireless drivers support promiscuous mode.

One important difference is Promiscuous mode does, indeed, tell the card to process all frames, (i.e. remove 802.11 frame headers ) including those not destined for it.
But, monitor mode tells the card to pass along the frames intact (with 802.11 headers) and not present plain 'ol Ethernet frames to the host.

Reason
In monitor mode the SSID filter mentioned above is disabed and all packets of all SSID's from the currently selected channel are captured.

Even in promiscuous mode, an 802.11 adapter will only supply packets to the host of the SSID the adapter has joined. Although it can receive, at the radio level, packets on other SSID's, it will not forward them to the host.

So in order to capture all traffic that the adapter can receive, the adapter must be put into "monitor mode", sometimes called "rfmon mode". In this mode, the driver will not make the adapter a member of any service set, so it won't support sending any traffic and will only supply received packets to a packet capture mechanism, not to the networking stack. This means that the machine will not be able to use that adapter for network traffic; if it doesn't have any other network adapters, it will not be able to:

* resolve addresses to host names using a network protocol such as DNS;
* save packets to a file on a network file server;

etc..

Monitor mode is not supported by WinPcap, and thus not by Wireshark or TShark, on Windows.
It is supported, for at least some interfaces, on some versions of Linux, FreeBSD, and NetBSD.

Command to put Wireless card in monitor mode on linux (Use sudo in front, if not in root login)
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up

2 comments:

Generating Solutions, LLC said...

This is a blog to watch for sure. I think you have a really awesome writing style by the way. Very easy to read. Your blog design is so clean too! Thank you all the hard work!

Sewage Pump Station Monitoring

ZonaDeMarrones.com said...

Fantastic explanation, thank you