Hi guys,
I'm having this problem with my wireless adapter, I can't sniff packets in promiscuous mode.
I presume the problem is from the wireless adapter because when I sniff via ethernet I don't have any problems.
I'm currently using Windows XP professional edition + INTEL PRO Wireless 2200BG with the drivers 9.0.4.36 ( 04-04-2007 ).
Any help regarding this subject would be very much appreciated.

Thanks

normally it's just a driver issue. my suggestion is to download a copy of the backtrack cd. linux though, but linux is good.

First of all, what you are looking for is "monitor mode" not "promiscuous". People tend to forget that wireless ethernet isn't ethernet. There are a lot of differences between the two. Promiscuous means, just don't drop anything that isn't sent to my or broadcast mac addr. monitor means anything that is in the air.

The problem is that for promiscuous, the packet has to arrive at your workstation, and not all the packets you expect are intercepted and/or passed to the cpu. wireless is made to conserve energy, otherwise battery time of laptops and other handheld devices would suffer. (Though 80211 is pretty power hungry when compared to other protocols, but that's because they also want to achieve high data rate and larger range). However to save some power, it shuts down and stops listening when it's not his packet, or not the basestation sending. And lots of other factors. Not all packets in your network will be sent over the wireless either. Unless god forbid you have a wireless bridge, which is just the dumbest device ever put to market.

also the structure of the hardware/software
ethernet: cable ---> network card ---> driver ---> operating system
wireless: air->antenna-> micro code running on the wireless card's processor (they usually have one, the ipw2200 is no exception) --> driver --> operating system

often the microcode, can drop packets, before they ever reach the CPU, microcode is usually closed source.

monitor mode will typically intercept everything around, *iff* the ucode allows it.

How the entire 802.11.a/b/g/n/s ... wds ... WEP/WPA works is more complex, and there's a lot more to it. I don't care about windows, you will be able to sniff the traffic. but injecting will most likely be impossible unless some company puts out some patched driver of sorts. on linux the card is supported, and there are injection patches. http://aircrack-ng.org/doku.php?id=compatibility_drivers#drivers

The IPW cards aren't the best cards to be using if you want to do wireless "exploration". You are probably better of buying some $20 atheros based usb thingy...


But anyway check the aircrack-ng project, they have all the answers. aircrack-ng will run on windows, (though you can not inject packets into networks, because the windows drivers don't allow that); Depending on what you are trying to do, getting familiar with linux isn't a bad idea. There are some shady (imho) crappy windows programs out there that for your (old card) might work too.

ps: this post is a bit messy, but you get the idea.

I'm not sure if it is a language issue (I'm unsure how you send to a broadcast MAC address) but for clarity :

Monitor mode enables a wireless NIC to capture packets without associating with an access point or ad-hoc network. This is desirable in that you can choose to "monitor" a specific channel, and you need never transmit any packets. In fact transmitting is sometimes not possible while in monitor mode (driver dependent). Another aspect of monitor mode is that the NIC does not care whether the CRC values are correct for packets captured in monitor mode, so some packets that you see may in fact be corrupted.

Promiscuous mode allows you to view all wireless packets on a network to which you have associated. The need to associate means that you must have some measn of authenticating yourself with an access point. In promiscuous mode, you will not see packets until you have associated. Not all wireless drivers support promiscuous mode.

From here

that's sort of what I meant to say, but with a few arguments trying to make it a bit more believable, than some quote. But failing miserably, recognising that in the ps but hey I had just typed all that, i just hit send.

And with the knowledge that on ipw cards you typically don't have "promiscuous" in the sense of being able to see packets of other people on the network. Afaik it's a bit of a hassle, to implement and there is no real use for it. And with monitor mode you can have all that and more. filtering and decrypting can be done afterwards too, reasonably easy. So look for monitor mode

however you will never see all the packets you see when you plugin your ethernet cable, because they are simply never sent through an antenna.

First of all, thank you for the replies.
@aceldama
I have a copy of backtrack I just hadn't the chance to run it yet, but I'll give it a try someday =)
@bb and rhican
Thanks for all the useful information I was mixing up promiscuous mode and monitor mode a little.

Thanks again