1
votes

I want to analyze networks traffic but not by connecting it Just switch on wifi and sniff the packets (IEEE 802.11 Frames) in promiscuous mode

I have tried libpcap but it may be internally changing datalinktype as i am giving wifi interface in

descr=pcap_open_live("en1", MAXBYTES2CAPTURE, 1, 512, errbuf);

(as we know mac OS x have en1 as wifi interface )

now when i do this

printf("%s", pcap_datalink_val_to_name( pcap_datalink(descr)));

It gives me result "ethernet"
I have tried to capture packets using wireshark without connecting to my wifi network and it worked!! I was able to capture Beacon , Acknowledgement and Authentication frames without connecting to my wifi network.

now:

  1. do I have to make a network card driver for that or libpcap can do that ?if yes how?
  2. Is wireshark making some kind of driver for that? if yes please help me to locate that in it's source code.
    • I have tried Apple's CFNetwork but it too can't capture without connecting to the network.
    • It will be very helpful if i get some suggestion on some user space code as kernel level coding is a little tuff :(

I am coding on MacOS 10.7 in xCode 4.5.1

Update:
I am already doing this:

descr=pcap_create("e1", errbuf);
pcap_set_rfmon(descr, 0);
pcap_set_promisc(descr, 0);
pcap_activate(descr);    
descr=pcap_open_live("en1", 2048, 1, 512, errbuf);                   

And yes there is a little monitor icon at the wifi and I can sniff the packets but only when I connect to the network, I want to do the same when I am not connected to wifi like capturing Beacon and Acknowledgment Frames means packets through which our network card detects available wifi network

1

1 Answers

2
votes

If you're running on Snow Leopard or later (which you are, as you're running Lion), you should use the new pcap_create()/pcap_activate() APIs, and turn on monitor mode by calling pcap_set_rfmon() between the pcap_create() and pcap_activate() calls.

That's what Wireshark 1.6.0 and later do if you check the monitor mode checkbox, and what tcpdump 1.0.0 and later, and TShark and dumpcap in Wireshark 1.6.0 and later, do if you specify the -I command-line flag.

By default, Wi-Fi interfaces on many OSes, including but not limited to OS X, supply Ethernet headers, not 802.11 headers, which is why pcap_datalink_val_to_name(pcap_datalink(descr)) is reporting Ethernet headers. On Linux and OS X, you have to go into monitor mode to get 802.11 headers; on *BSD, you can get 802.11 headers without going into monitor mode.

You do not need your own driver to go into monitor mode on OS X; Wireshark does not supply its own drivers.