Thursday 6 August 2015

Promiscuous vs monitor mode of a wireless network interface


Wireless adapter in promiscuous mode:
  • connected to the Access Point (AP)
  • SSID filtering is switched on => it can receive packets only from AP it is associated with (it receives radio packets from all APs but forwards to the upper layers only those from that particular AP)
  • MAC filtering is switched off => it can receive packets destined for any MAC address
  • it can't decrypt packets to/from other nodes in secured (WEP, WPA...) networks 
  • it translates Wi-Fi data frames into wired Ethernet-style frames (IEEE 802.3) so they look like Ethernet frames captured on the LAN interface working in promiscuous mode

Wireless adapter in monitor mode:
  • usually NOT connected to the Access Point (depends on the adapter and its driver) => it does not transmit any packets
  • SSID filtering is switched off => it can receive packets from any AP within its range
  • MAC filtering is switched off => it can receive packets destined for any MAC address
  • it can decrypt packets to/from other nodes in secured networks

It is worth adding the following:
  • monitor mode does not make sense (and so does not exist) for LAN cards 
  • all LAN cards support promiscuous mode
  • not all Wi-Fi cards support promiscuous and monitor mode

Further reading:Promiscuous mode (Wikipedia)
Monitor mode (Wikipedia)
Wireshark - WLAN (IEEE 802.11) capture setup

No comments: