document updated 15 years ago, on Jan 2, 2009
modes/capabilities
It's important to understand the difference between monitor mode and promiscuous mode.
Monitor mode lets you listen to all transmissions on a given RF channel, regardless of which AP it's coming from, and without associating to an access point. Even if you only want to listen to one AP, but can't/don't want to associate yet, you have to use monitor mode, not promiscuous mode.
Promiscuous mode comes into play after you've associated to one AP. It means you can listen to all frames on that network, even if they weren't addressed to you.
monitor mode — not associated with any AP
Most wifi drivers don't support monitor mode. It's not an everyday feature, and apparently it requires a lot of extra work to implement.
On Linux, a number of drivers have been enhanced to do monitor mode.
On Windows, there's generally much less support.
- Usually the only option is to use third-party commercially-developed drivers:
promiscuous mode — associated to an AP
- non-promiscuous mode
- some wireless drivers will return ZERO packets if you capture in "promiscuous mode", BUT WILL capture at least some packets if you turn promiscuous mode off at the start of capture
- promiscuous mode
Yes, for cards that support monitor mode, but not promiscuous mode, it's possible to decrypt a .cap file.
packet injection
Usually done with the aireplay-ng tool.
Injection is usually only needed when cracking WEP/WPA (specifically to do fake authentication and to do the chopchop or fragmentation attacks). Even fewer cards support this than the other features.
how-to
decrypting WEP/WAP
Sometimes it's preferable to capture in monitor mode, even when you know the password. In this case, you want to decrypt the packets in software so you can see the contents. Ways to do this: