none
WiFi promiscuous mode

    Question

  • In NetMon 3.4, when I capture from WiFi while in Monitor Mode, NetMon will display the captured frames with a conversation ID of the form: {TCP:12, IPv4:11, WiFi:442}.  What does WiFi:442 mean?  I didn't see the 442 value in the frame.  How can I filter on that value, and how do I associate that with a specific channel and layer, so I don't have to scan all layers (and miss packets)?
    Azius Developer Training, Windows driver, internals, and security training See www.azius.com for information
    Monday, December 06, 2010 12:03 AM

All replies

  • Those are conversation IDs.  They are numeric values we assign for each conversation.  In the case of WiFi, each address pair is associate to a conversation.  You can filter on these or use the Right Click Find Conversation feature to show traffic based on the WiFi Conversation.  In this context, that means showing all the traffic between to WiFi addresses.

    The WiFi hardware only lets you listen to one channel/Layer at a time.  You can configure your WiFi adapter with Netmon if it supports WiFi managment.  If it does, you should see an option to configure this under the interface in the Select Network Adapters dialog.  You can see this on the start page, or when you hit the Configure Capture button.  There you will see a Scanning Options dialog.  Launching this will open a new executable that will configure the wireless interface to attache to another radio signal.

    You can filter on the Wifi Channel and Layer as well.  For the WifiChannel, it's easiest to use the property as below:

    property.WifiChannel==14

    For Layer, there is a table which describes the association of to the layer string.  The table is part of the parser code (NPL) which ships with the product.  I've pasted the table below.  To use it, your filter would look like "WiFi.MetaData.PhyType == 0x6".

    *** from wireless.npl ***

    Table WiFiPhyType (value)
    {
     switch (value)
     {
      case 4: "802.11a";
      case 5: "802.11b";
      case 6: "802.11g";
      case 7: "802.11n";
      default: FormatString("Undefined Value (%d)", value);
     }
    }

    In general, you can right click and select Add as Display Filter for normal filters.  For properties it's a little bit more difficult.  However, we do have a listing of some of the more popular properties and fields on our Wiki (http://social.technet.microsoft.com/wiki/contents/articles/network-monitor-fields-and-properties-for-filtering.aspx).  I've just added some of the wireless ones there.

    Also the video I did on that you can see by selecting the Video tab on the blog at http://Blogs.Technet.com/netmon.  In the 2nd advanced filtering video I discuss some other hints on how to find properties.

    Paul

    Wednesday, December 08, 2010 5:00 PM