Wifi IDS - monitor mode vs promiscous mode - Seeing East and West trafficWindows 7 not seeing specific...

Why does processed meat contain preservatives, while canned fish needs not?

Was there a Viking Exchange as well as a Columbian one?

Are Boeing 737-800’s grounded?

US visa is under administrative processing, I need the passport back ASAP

What does the "ep" capability mean?

What does it mean to express a gate in Dirac notation?

Error message with tabularx

Can someone publish a story that happened to you?

How much cash can I safely carry into the USA and avoid civil forfeiture?

How can I practically buy stocks?

How to stop co-workers from teasing me because I know Russian?

Why is it that the natural deduction method can't test for invalidity?

Binary Numbers Magic Trick

Was there a shared-world project before "Thieves World"?

How to get a plain text file version of a CP/M .BAS (M-BASIC) program?

Critique of timeline aesthetic

With a Canadian student visa, can I spend a night at Vancouver before continuing to Toronto?

Please, smoke with good manners

Does a semiconductor follow Ohm's law?

Is there an official tutorial for installing Ubuntu 18.04+ on a device with an SSD and an additional internal hard drive?

Will tsunami waves travel forever if there was no land?

Exchange,swap or switch

What route did the Hindenburg take when traveling from Germany to the U.S.?

Unexpected email from Yorkshire Bank



Wifi IDS - monitor mode vs promiscous mode - Seeing East and West traffic


Windows 7 not seeing specific WiFiMultiple IDs and Multiple passwords for single Wireless i.e Wifi NetworkHow can I see my LAN when connected to a VPN?Create fake WiFi network and monitor clientsUsing two USB wifi adapters as one single WAP (wireless access point)How to use multiple Raspberry Pi for creating single network (mesh) of access pointswhy am i seeing other computer's traffic on wireshark?Low count of data frames in wifi monitor modeWifi card monitor modeWiFi Access Point Monitor mode






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















Given my home wifi setup (WPA2) below I can see all traffic from the internal network to the 'Net back (North and South traffic).



I use wlan0 for ssh on the local net. I run suricata as the IDS on the Raspberry Pi and send logs to the Cloud. Life is good.



I am wanting to see and log the East to West connections from an internal wifi client1 to internal wifi client2. My wifi router doesn't provide that.



I got another wlan card thinking that in monitor mode that would do the trick, but I believe I won't be able to decrypt traffic unless joined to the SSID (tried - didn't see anything but management frames in tcpdump).



I also tried promiscuous mode w/wlan1 (confirmed PROMISC in ifconfig) thinking it's joined to the SSID so would therefore do the trick (I'd then just let my IDS/suricata know about the PSK), but I couldn't see traffic apart from unicast/broadcast (none of the other wifi clients).



This is in a small apartment but my wifi clients (recent Androids/Chromebooks) are <5 feet away for testing.



The wlan1 card in the RPi is Panda Wireless PAU05.



Out of more curiosity, am I doomed to fail on the path I said I desire?



I would prefer to do it this way for the academic enrichment or at least learn why I am going to fail. I.E I am aware of BriarIDS and SweetSecurity. I'd also prefer not to spendtoo much money on a high end router and want to continue tinkering.



> +-------------------+ |           
> | | Cable Modem | |
> +----+--------------+ |
> |
> |
> |
> +<------Anonymous Ethernet bridge:Eth0 (No IP)--+
> |
> +-----+
> | |
> | Pi |
> | |XXXXXXXXXXX..Wlan0..Wifi Signal..XXXXXX
> +----++ XX
> | XX
> +<-----------AEB:--Eth1 (No IP)--+ XX
> | XX
> +---+---------------------------+ XXX
> | (DMZ port has the ISP IP) | XXX
> | | XX
> | Wirleless Router -TP Link |XX
> | |
> | (internal ports) |
> +-------------------------------+
> |
> |
> +------------------------+
> | Internal wired pc, etc.|
> +------------------------+









share|improve this question





























    0















    Given my home wifi setup (WPA2) below I can see all traffic from the internal network to the 'Net back (North and South traffic).



    I use wlan0 for ssh on the local net. I run suricata as the IDS on the Raspberry Pi and send logs to the Cloud. Life is good.



    I am wanting to see and log the East to West connections from an internal wifi client1 to internal wifi client2. My wifi router doesn't provide that.



    I got another wlan card thinking that in monitor mode that would do the trick, but I believe I won't be able to decrypt traffic unless joined to the SSID (tried - didn't see anything but management frames in tcpdump).



    I also tried promiscuous mode w/wlan1 (confirmed PROMISC in ifconfig) thinking it's joined to the SSID so would therefore do the trick (I'd then just let my IDS/suricata know about the PSK), but I couldn't see traffic apart from unicast/broadcast (none of the other wifi clients).



    This is in a small apartment but my wifi clients (recent Androids/Chromebooks) are <5 feet away for testing.



    The wlan1 card in the RPi is Panda Wireless PAU05.



    Out of more curiosity, am I doomed to fail on the path I said I desire?



    I would prefer to do it this way for the academic enrichment or at least learn why I am going to fail. I.E I am aware of BriarIDS and SweetSecurity. I'd also prefer not to spendtoo much money on a high end router and want to continue tinkering.



    > +-------------------+ |           
    > | | Cable Modem | |
    > +----+--------------+ |
    > |
    > |
    > |
    > +<------Anonymous Ethernet bridge:Eth0 (No IP)--+
    > |
    > +-----+
    > | |
    > | Pi |
    > | |XXXXXXXXXXX..Wlan0..Wifi Signal..XXXXXX
    > +----++ XX
    > | XX
    > +<-----------AEB:--Eth1 (No IP)--+ XX
    > | XX
    > +---+---------------------------+ XXX
    > | (DMZ port has the ISP IP) | XXX
    > | | XX
    > | Wirleless Router -TP Link |XX
    > | |
    > | (internal ports) |
    > +-------------------------------+
    > |
    > |
    > +------------------------+
    > | Internal wired pc, etc.|
    > +------------------------+









    share|improve this question

























      0












      0








      0








      Given my home wifi setup (WPA2) below I can see all traffic from the internal network to the 'Net back (North and South traffic).



      I use wlan0 for ssh on the local net. I run suricata as the IDS on the Raspberry Pi and send logs to the Cloud. Life is good.



      I am wanting to see and log the East to West connections from an internal wifi client1 to internal wifi client2. My wifi router doesn't provide that.



      I got another wlan card thinking that in monitor mode that would do the trick, but I believe I won't be able to decrypt traffic unless joined to the SSID (tried - didn't see anything but management frames in tcpdump).



      I also tried promiscuous mode w/wlan1 (confirmed PROMISC in ifconfig) thinking it's joined to the SSID so would therefore do the trick (I'd then just let my IDS/suricata know about the PSK), but I couldn't see traffic apart from unicast/broadcast (none of the other wifi clients).



      This is in a small apartment but my wifi clients (recent Androids/Chromebooks) are <5 feet away for testing.



      The wlan1 card in the RPi is Panda Wireless PAU05.



      Out of more curiosity, am I doomed to fail on the path I said I desire?



      I would prefer to do it this way for the academic enrichment or at least learn why I am going to fail. I.E I am aware of BriarIDS and SweetSecurity. I'd also prefer not to spendtoo much money on a high end router and want to continue tinkering.



      > +-------------------+ |           
      > | | Cable Modem | |
      > +----+--------------+ |
      > |
      > |
      > |
      > +<------Anonymous Ethernet bridge:Eth0 (No IP)--+
      > |
      > +-----+
      > | |
      > | Pi |
      > | |XXXXXXXXXXX..Wlan0..Wifi Signal..XXXXXX
      > +----++ XX
      > | XX
      > +<-----------AEB:--Eth1 (No IP)--+ XX
      > | XX
      > +---+---------------------------+ XXX
      > | (DMZ port has the ISP IP) | XXX
      > | | XX
      > | Wirleless Router -TP Link |XX
      > | |
      > | (internal ports) |
      > +-------------------------------+
      > |
      > |
      > +------------------------+
      > | Internal wired pc, etc.|
      > +------------------------+









      share|improve this question














      Given my home wifi setup (WPA2) below I can see all traffic from the internal network to the 'Net back (North and South traffic).



      I use wlan0 for ssh on the local net. I run suricata as the IDS on the Raspberry Pi and send logs to the Cloud. Life is good.



      I am wanting to see and log the East to West connections from an internal wifi client1 to internal wifi client2. My wifi router doesn't provide that.



      I got another wlan card thinking that in monitor mode that would do the trick, but I believe I won't be able to decrypt traffic unless joined to the SSID (tried - didn't see anything but management frames in tcpdump).



      I also tried promiscuous mode w/wlan1 (confirmed PROMISC in ifconfig) thinking it's joined to the SSID so would therefore do the trick (I'd then just let my IDS/suricata know about the PSK), but I couldn't see traffic apart from unicast/broadcast (none of the other wifi clients).



      This is in a small apartment but my wifi clients (recent Androids/Chromebooks) are <5 feet away for testing.



      The wlan1 card in the RPi is Panda Wireless PAU05.



      Out of more curiosity, am I doomed to fail on the path I said I desire?



      I would prefer to do it this way for the academic enrichment or at least learn why I am going to fail. I.E I am aware of BriarIDS and SweetSecurity. I'd also prefer not to spendtoo much money on a high end router and want to continue tinkering.



      > +-------------------+ |           
      > | | Cable Modem | |
      > +----+--------------+ |
      > |
      > |
      > |
      > +<------Anonymous Ethernet bridge:Eth0 (No IP)--+
      > |
      > +-----+
      > | |
      > | Pi |
      > | |XXXXXXXXXXX..Wlan0..Wifi Signal..XXXXXX
      > +----++ XX
      > | XX
      > +<-----------AEB:--Eth1 (No IP)--+ XX
      > | XX
      > +---+---------------------------+ XXX
      > | (DMZ port has the ISP IP) | XXX
      > | | XX
      > | Wirleless Router -TP Link |XX
      > | |
      > | (internal ports) |
      > +-------------------------------+
      > |
      > |
      > +------------------------+
      > | Internal wired pc, etc.|
      > +------------------------+






      wireless-networking security






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked yesterday









      jouelljouell

      1309




      1309






















          1 Answer
          1






          active

          oldest

          votes


















          1














          Monitor mode is what you need, but the ability to decrypt other devices' WPA2-PSK traffic has nothing to do with joining the network. All you need is the PSK (or the passphrase and the SSID, from which you can derive the PSK), and the WPA2 4-way handshake from when the target device joins the network.



          You also need your sniffer's wireless card to support all the speed-related capabilities of the wireless hardware in the AP and the target device. Because if, say, the AP and the target device both do 802.11ac, and your sniffer card only does 802.11n and below, then the sniffer won't be able to observe any packets the AP and target device exchange using 802.11ac-specific modulation and coding schemes (MCSes). Besides supported 802.11 speed-related standards (a/b/g/n/ac), and supported MCSes, you must also consider supported spatial streams (1x1, 2x2, 3x3, etc), and supported channel widths (20/40/80/160MHz).






          share|improve this answer
























          • FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.

            – jouell
            yesterday













          • Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.

            – jouell
            23 hours ago












          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1429834%2fwifi-ids-monitor-mode-vs-promiscous-mode-seeing-east-and-west-traffic%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          Monitor mode is what you need, but the ability to decrypt other devices' WPA2-PSK traffic has nothing to do with joining the network. All you need is the PSK (or the passphrase and the SSID, from which you can derive the PSK), and the WPA2 4-way handshake from when the target device joins the network.



          You also need your sniffer's wireless card to support all the speed-related capabilities of the wireless hardware in the AP and the target device. Because if, say, the AP and the target device both do 802.11ac, and your sniffer card only does 802.11n and below, then the sniffer won't be able to observe any packets the AP and target device exchange using 802.11ac-specific modulation and coding schemes (MCSes). Besides supported 802.11 speed-related standards (a/b/g/n/ac), and supported MCSes, you must also consider supported spatial streams (1x1, 2x2, 3x3, etc), and supported channel widths (20/40/80/160MHz).






          share|improve this answer
























          • FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.

            – jouell
            yesterday













          • Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.

            – jouell
            23 hours ago
















          1














          Monitor mode is what you need, but the ability to decrypt other devices' WPA2-PSK traffic has nothing to do with joining the network. All you need is the PSK (or the passphrase and the SSID, from which you can derive the PSK), and the WPA2 4-way handshake from when the target device joins the network.



          You also need your sniffer's wireless card to support all the speed-related capabilities of the wireless hardware in the AP and the target device. Because if, say, the AP and the target device both do 802.11ac, and your sniffer card only does 802.11n and below, then the sniffer won't be able to observe any packets the AP and target device exchange using 802.11ac-specific modulation and coding schemes (MCSes). Besides supported 802.11 speed-related standards (a/b/g/n/ac), and supported MCSes, you must also consider supported spatial streams (1x1, 2x2, 3x3, etc), and supported channel widths (20/40/80/160MHz).






          share|improve this answer
























          • FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.

            – jouell
            yesterday













          • Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.

            – jouell
            23 hours ago














          1












          1








          1







          Monitor mode is what you need, but the ability to decrypt other devices' WPA2-PSK traffic has nothing to do with joining the network. All you need is the PSK (or the passphrase and the SSID, from which you can derive the PSK), and the WPA2 4-way handshake from when the target device joins the network.



          You also need your sniffer's wireless card to support all the speed-related capabilities of the wireless hardware in the AP and the target device. Because if, say, the AP and the target device both do 802.11ac, and your sniffer card only does 802.11n and below, then the sniffer won't be able to observe any packets the AP and target device exchange using 802.11ac-specific modulation and coding schemes (MCSes). Besides supported 802.11 speed-related standards (a/b/g/n/ac), and supported MCSes, you must also consider supported spatial streams (1x1, 2x2, 3x3, etc), and supported channel widths (20/40/80/160MHz).






          share|improve this answer













          Monitor mode is what you need, but the ability to decrypt other devices' WPA2-PSK traffic has nothing to do with joining the network. All you need is the PSK (or the passphrase and the SSID, from which you can derive the PSK), and the WPA2 4-way handshake from when the target device joins the network.



          You also need your sniffer's wireless card to support all the speed-related capabilities of the wireless hardware in the AP and the target device. Because if, say, the AP and the target device both do 802.11ac, and your sniffer card only does 802.11n and below, then the sniffer won't be able to observe any packets the AP and target device exchange using 802.11ac-specific modulation and coding schemes (MCSes). Besides supported 802.11 speed-related standards (a/b/g/n/ac), and supported MCSes, you must also consider supported spatial streams (1x1, 2x2, 3x3, etc), and supported channel widths (20/40/80/160MHz).







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered yesterday









          SpiffSpiff

          78.6k10121166




          78.6k10121166













          • FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.

            – jouell
            yesterday













          • Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.

            – jouell
            23 hours ago



















          • FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.

            – jouell
            yesterday













          • Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.

            – jouell
            23 hours ago

















          FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.

          – jouell
          yesterday







          FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.

          – jouell
          yesterday















          Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.

          – jouell
          23 hours ago





          Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.

          – jouell
          23 hours ago


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1429834%2fwifi-ids-monitor-mode-vs-promiscous-mode-seeing-east-and-west-traffic%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...

          Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

          VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...