Wifi IDS - monitor mode vs promiscous mode - Seeing East and West trafficWindows 7 not seeing specific...
Why does processed meat contain preservatives, while canned fish needs not?
Was there a Viking Exchange as well as a Columbian one?
Are Boeing 737-800’s grounded?
US visa is under administrative processing, I need the passport back ASAP
What does the "ep" capability mean?
What does it mean to express a gate in Dirac notation?
Error message with tabularx
Can someone publish a story that happened to you?
How much cash can I safely carry into the USA and avoid civil forfeiture?
How can I practically buy stocks?
How to stop co-workers from teasing me because I know Russian?
Why is it that the natural deduction method can't test for invalidity?
Binary Numbers Magic Trick
Was there a shared-world project before "Thieves World"?
How to get a plain text file version of a CP/M .BAS (M-BASIC) program?
Critique of timeline aesthetic
With a Canadian student visa, can I spend a night at Vancouver before continuing to Toronto?
Please, smoke with good manners
Does a semiconductor follow Ohm's law?
Is there an official tutorial for installing Ubuntu 18.04+ on a device with an SSD and an additional internal hard drive?
Will tsunami waves travel forever if there was no land?
Exchange,swap or switch
What route did the Hindenburg take when traveling from Germany to the U.S.?
Unexpected email from Yorkshire Bank
Wifi IDS - monitor mode vs promiscous mode - Seeing East and West traffic
Windows 7 not seeing specific WiFiMultiple IDs and Multiple passwords for single Wireless i.e Wifi NetworkHow can I see my LAN when connected to a VPN?Create fake WiFi network and monitor clientsUsing two USB wifi adapters as one single WAP (wireless access point)How to use multiple Raspberry Pi for creating single network (mesh) of access pointswhy am i seeing other computer's traffic on wireshark?Low count of data frames in wifi monitor modeWifi card monitor modeWiFi Access Point Monitor mode
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
Given my home wifi setup (WPA2) below I can see all traffic from the internal network to the 'Net back (North and South traffic).
I use wlan0 for ssh on the local net. I run suricata as the IDS on the Raspberry Pi and send logs to the Cloud. Life is good.
I am wanting to see and log the East to West connections from an internal wifi client1 to internal wifi client2. My wifi router doesn't provide that.
I got another wlan card thinking that in monitor mode that would do the trick, but I believe I won't be able to decrypt traffic unless joined to the SSID (tried - didn't see anything but management frames in tcpdump).
I also tried promiscuous mode w/wlan1 (confirmed PROMISC in ifconfig) thinking it's joined to the SSID so would therefore do the trick (I'd then just let my IDS/suricata know about the PSK), but I couldn't see traffic apart from unicast/broadcast (none of the other wifi clients).
This is in a small apartment but my wifi clients (recent Androids/Chromebooks) are <5 feet away for testing.
The wlan1 card in the RPi is Panda Wireless PAU05.
Out of more curiosity, am I doomed to fail on the path I said I desire?
I would prefer to do it this way for the academic enrichment or at least learn why I am going to fail. I.E I am aware of BriarIDS and SweetSecurity. I'd also prefer not to spendtoo much money on a high end router and want to continue tinkering.
> +-------------------+ |
> | | Cable Modem | |
> +----+--------------+ |
> |
> |
> |
> +<------Anonymous Ethernet bridge:Eth0 (No IP)--+
> |
> +-----+
> | |
> | Pi |
> | |XXXXXXXXXXX..Wlan0..Wifi Signal..XXXXXX
> +----++ XX
> | XX
> +<-----------AEB:--Eth1 (No IP)--+ XX
> | XX
> +---+---------------------------+ XXX
> | (DMZ port has the ISP IP) | XXX
> | | XX
> | Wirleless Router -TP Link |XX
> | |
> | (internal ports) |
> +-------------------------------+
> |
> |
> +------------------------+
> | Internal wired pc, etc.|
> +------------------------+
wireless-networking security
add a comment |
Given my home wifi setup (WPA2) below I can see all traffic from the internal network to the 'Net back (North and South traffic).
I use wlan0 for ssh on the local net. I run suricata as the IDS on the Raspberry Pi and send logs to the Cloud. Life is good.
I am wanting to see and log the East to West connections from an internal wifi client1 to internal wifi client2. My wifi router doesn't provide that.
I got another wlan card thinking that in monitor mode that would do the trick, but I believe I won't be able to decrypt traffic unless joined to the SSID (tried - didn't see anything but management frames in tcpdump).
I also tried promiscuous mode w/wlan1 (confirmed PROMISC in ifconfig) thinking it's joined to the SSID so would therefore do the trick (I'd then just let my IDS/suricata know about the PSK), but I couldn't see traffic apart from unicast/broadcast (none of the other wifi clients).
This is in a small apartment but my wifi clients (recent Androids/Chromebooks) are <5 feet away for testing.
The wlan1 card in the RPi is Panda Wireless PAU05.
Out of more curiosity, am I doomed to fail on the path I said I desire?
I would prefer to do it this way for the academic enrichment or at least learn why I am going to fail. I.E I am aware of BriarIDS and SweetSecurity. I'd also prefer not to spendtoo much money on a high end router and want to continue tinkering.
> +-------------------+ |
> | | Cable Modem | |
> +----+--------------+ |
> |
> |
> |
> +<------Anonymous Ethernet bridge:Eth0 (No IP)--+
> |
> +-----+
> | |
> | Pi |
> | |XXXXXXXXXXX..Wlan0..Wifi Signal..XXXXXX
> +----++ XX
> | XX
> +<-----------AEB:--Eth1 (No IP)--+ XX
> | XX
> +---+---------------------------+ XXX
> | (DMZ port has the ISP IP) | XXX
> | | XX
> | Wirleless Router -TP Link |XX
> | |
> | (internal ports) |
> +-------------------------------+
> |
> |
> +------------------------+
> | Internal wired pc, etc.|
> +------------------------+
wireless-networking security
add a comment |
Given my home wifi setup (WPA2) below I can see all traffic from the internal network to the 'Net back (North and South traffic).
I use wlan0 for ssh on the local net. I run suricata as the IDS on the Raspberry Pi and send logs to the Cloud. Life is good.
I am wanting to see and log the East to West connections from an internal wifi client1 to internal wifi client2. My wifi router doesn't provide that.
I got another wlan card thinking that in monitor mode that would do the trick, but I believe I won't be able to decrypt traffic unless joined to the SSID (tried - didn't see anything but management frames in tcpdump).
I also tried promiscuous mode w/wlan1 (confirmed PROMISC in ifconfig) thinking it's joined to the SSID so would therefore do the trick (I'd then just let my IDS/suricata know about the PSK), but I couldn't see traffic apart from unicast/broadcast (none of the other wifi clients).
This is in a small apartment but my wifi clients (recent Androids/Chromebooks) are <5 feet away for testing.
The wlan1 card in the RPi is Panda Wireless PAU05.
Out of more curiosity, am I doomed to fail on the path I said I desire?
I would prefer to do it this way for the academic enrichment or at least learn why I am going to fail. I.E I am aware of BriarIDS and SweetSecurity. I'd also prefer not to spendtoo much money on a high end router and want to continue tinkering.
> +-------------------+ |
> | | Cable Modem | |
> +----+--------------+ |
> |
> |
> |
> +<------Anonymous Ethernet bridge:Eth0 (No IP)--+
> |
> +-----+
> | |
> | Pi |
> | |XXXXXXXXXXX..Wlan0..Wifi Signal..XXXXXX
> +----++ XX
> | XX
> +<-----------AEB:--Eth1 (No IP)--+ XX
> | XX
> +---+---------------------------+ XXX
> | (DMZ port has the ISP IP) | XXX
> | | XX
> | Wirleless Router -TP Link |XX
> | |
> | (internal ports) |
> +-------------------------------+
> |
> |
> +------------------------+
> | Internal wired pc, etc.|
> +------------------------+
wireless-networking security
Given my home wifi setup (WPA2) below I can see all traffic from the internal network to the 'Net back (North and South traffic).
I use wlan0 for ssh on the local net. I run suricata as the IDS on the Raspberry Pi and send logs to the Cloud. Life is good.
I am wanting to see and log the East to West connections from an internal wifi client1 to internal wifi client2. My wifi router doesn't provide that.
I got another wlan card thinking that in monitor mode that would do the trick, but I believe I won't be able to decrypt traffic unless joined to the SSID (tried - didn't see anything but management frames in tcpdump).
I also tried promiscuous mode w/wlan1 (confirmed PROMISC in ifconfig) thinking it's joined to the SSID so would therefore do the trick (I'd then just let my IDS/suricata know about the PSK), but I couldn't see traffic apart from unicast/broadcast (none of the other wifi clients).
This is in a small apartment but my wifi clients (recent Androids/Chromebooks) are <5 feet away for testing.
The wlan1 card in the RPi is Panda Wireless PAU05.
Out of more curiosity, am I doomed to fail on the path I said I desire?
I would prefer to do it this way for the academic enrichment or at least learn why I am going to fail. I.E I am aware of BriarIDS and SweetSecurity. I'd also prefer not to spendtoo much money on a high end router and want to continue tinkering.
> +-------------------+ |
> | | Cable Modem | |
> +----+--------------+ |
> |
> |
> |
> +<------Anonymous Ethernet bridge:Eth0 (No IP)--+
> |
> +-----+
> | |
> | Pi |
> | |XXXXXXXXXXX..Wlan0..Wifi Signal..XXXXXX
> +----++ XX
> | XX
> +<-----------AEB:--Eth1 (No IP)--+ XX
> | XX
> +---+---------------------------+ XXX
> | (DMZ port has the ISP IP) | XXX
> | | XX
> | Wirleless Router -TP Link |XX
> | |
> | (internal ports) |
> +-------------------------------+
> |
> |
> +------------------------+
> | Internal wired pc, etc.|
> +------------------------+
wireless-networking security
wireless-networking security
asked yesterday
jouelljouell
1309
1309
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Monitor mode is what you need, but the ability to decrypt other devices' WPA2-PSK traffic has nothing to do with joining the network. All you need is the PSK (or the passphrase and the SSID, from which you can derive the PSK), and the WPA2 4-way handshake from when the target device joins the network.
You also need your sniffer's wireless card to support all the speed-related capabilities of the wireless hardware in the AP and the target device. Because if, say, the AP and the target device both do 802.11ac, and your sniffer card only does 802.11n and below, then the sniffer won't be able to observe any packets the AP and target device exchange using 802.11ac-specific modulation and coding schemes (MCSes). Besides supported 802.11 speed-related standards (a/b/g/n/ac), and supported MCSes, you must also consider supported spatial streams (1x1, 2x2, 3x3, etc), and supported channel widths (20/40/80/160MHz).
FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.
– jouell
yesterday
Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.
– jouell
23 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1429834%2fwifi-ids-monitor-mode-vs-promiscous-mode-seeing-east-and-west-traffic%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Monitor mode is what you need, but the ability to decrypt other devices' WPA2-PSK traffic has nothing to do with joining the network. All you need is the PSK (or the passphrase and the SSID, from which you can derive the PSK), and the WPA2 4-way handshake from when the target device joins the network.
You also need your sniffer's wireless card to support all the speed-related capabilities of the wireless hardware in the AP and the target device. Because if, say, the AP and the target device both do 802.11ac, and your sniffer card only does 802.11n and below, then the sniffer won't be able to observe any packets the AP and target device exchange using 802.11ac-specific modulation and coding schemes (MCSes). Besides supported 802.11 speed-related standards (a/b/g/n/ac), and supported MCSes, you must also consider supported spatial streams (1x1, 2x2, 3x3, etc), and supported channel widths (20/40/80/160MHz).
FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.
– jouell
yesterday
Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.
– jouell
23 hours ago
add a comment |
Monitor mode is what you need, but the ability to decrypt other devices' WPA2-PSK traffic has nothing to do with joining the network. All you need is the PSK (or the passphrase and the SSID, from which you can derive the PSK), and the WPA2 4-way handshake from when the target device joins the network.
You also need your sniffer's wireless card to support all the speed-related capabilities of the wireless hardware in the AP and the target device. Because if, say, the AP and the target device both do 802.11ac, and your sniffer card only does 802.11n and below, then the sniffer won't be able to observe any packets the AP and target device exchange using 802.11ac-specific modulation and coding schemes (MCSes). Besides supported 802.11 speed-related standards (a/b/g/n/ac), and supported MCSes, you must also consider supported spatial streams (1x1, 2x2, 3x3, etc), and supported channel widths (20/40/80/160MHz).
FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.
– jouell
yesterday
Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.
– jouell
23 hours ago
add a comment |
Monitor mode is what you need, but the ability to decrypt other devices' WPA2-PSK traffic has nothing to do with joining the network. All you need is the PSK (or the passphrase and the SSID, from which you can derive the PSK), and the WPA2 4-way handshake from when the target device joins the network.
You also need your sniffer's wireless card to support all the speed-related capabilities of the wireless hardware in the AP and the target device. Because if, say, the AP and the target device both do 802.11ac, and your sniffer card only does 802.11n and below, then the sniffer won't be able to observe any packets the AP and target device exchange using 802.11ac-specific modulation and coding schemes (MCSes). Besides supported 802.11 speed-related standards (a/b/g/n/ac), and supported MCSes, you must also consider supported spatial streams (1x1, 2x2, 3x3, etc), and supported channel widths (20/40/80/160MHz).
Monitor mode is what you need, but the ability to decrypt other devices' WPA2-PSK traffic has nothing to do with joining the network. All you need is the PSK (or the passphrase and the SSID, from which you can derive the PSK), and the WPA2 4-way handshake from when the target device joins the network.
You also need your sniffer's wireless card to support all the speed-related capabilities of the wireless hardware in the AP and the target device. Because if, say, the AP and the target device both do 802.11ac, and your sniffer card only does 802.11n and below, then the sniffer won't be able to observe any packets the AP and target device exchange using 802.11ac-specific modulation and coding schemes (MCSes). Besides supported 802.11 speed-related standards (a/b/g/n/ac), and supported MCSes, you must also consider supported spatial streams (1x1, 2x2, 3x3, etc), and supported channel widths (20/40/80/160MHz).
answered yesterday
SpiffSpiff
78.6k10121166
78.6k10121166
FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.
– jouell
yesterday
Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.
– jouell
23 hours ago
add a comment |
FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.
– jouell
yesterday
Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.
– jouell
23 hours ago
FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.
– jouell
yesterday
FWIW aircrack-ng.org/doku.php?id=cracking_wpa and wiki.wireshark.org/HowToDecrypt802.11 were helpful here once I knew the above.
– jouell
yesterday
Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.
– jouell
23 hours ago
Also I do not precisely know if any projects actually do this type of capturing , decryption and then parsing the packets like an IDS would do natively.
– jouell
23 hours ago
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1429834%2fwifi-ids-monitor-mode-vs-promiscous-mode-seeing-east-and-west-traffic%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown