Sniffing on a Mac
I got a question from a reader (Steve) about sniffing on a Macbook. It's a pretty simple subject, so I figured I'd address it here as well.
Steve's email was in response to my previous post on sniffing possibilities for the upcoming Apple iPad. He asked if I'd used VMWare Fusion or any other virtualization software on a Mac OS X notebook so that I could run professional-grade WiFi sniffing software like WildPackets OmniPeek or AirMagnet WiFi Analyzer.
My answer was that, unfortunately, virtualization software is not a good option when it comes to sniffing. The basic problem is that for WiFi sniffing to work, your wireless adapter has to be put into monitor mode. That means having access to the drivers for your adapter (and, in most cases, changing them). When you use virtualization software to run Windows you lose your ability to access external network interfaces (such as the USB, PC Card or ExpressCard WiFi adapters that are typically used for sniffing). I've never tried to update drivers for internal (read: Mini-PCI or Mini-PCIe) WiFi adapters adapters while running virtualization software, but on most Apple notebooks a Broadcom chipset is used for the internal WiFi adapter and Broadcom does not open up their code to allow developers to make drivers that would allow Broadcom adapters to be put into monitor mode.
It is a hassle to have to boot into Windows using BootCamp when you want to sniff on a Mac, but that's really the best option out there today. You could do what I do when I get lazy, which is use KisMAC 0.3 with a D-Link DWL-G122 USB adapter (along with Wireshark to view the sniffed frames), but for professional-grade WiFi sniffing the answer for Scott (and anyone else, really) is to lumber through booting into Windows whenever you need to sniff.
Steve's email was in response to my previous post on sniffing possibilities for the upcoming Apple iPad. He asked if I'd used VMWare Fusion or any other virtualization software on a Mac OS X notebook so that I could run professional-grade WiFi sniffing software like WildPackets OmniPeek or AirMagnet WiFi Analyzer.
My answer was that, unfortunately, virtualization software is not a good option when it comes to sniffing. The basic problem is that for WiFi sniffing to work, your wireless adapter has to be put into monitor mode. That means having access to the drivers for your adapter (and, in most cases, changing them). When you use virtualization software to run Windows you lose your ability to access external network interfaces (such as the USB, PC Card or ExpressCard WiFi adapters that are typically used for sniffing). I've never tried to update drivers for internal (read: Mini-PCI or Mini-PCIe) WiFi adapters adapters while running virtualization software, but on most Apple notebooks a Broadcom chipset is used for the internal WiFi adapter and Broadcom does not open up their code to allow developers to make drivers that would allow Broadcom adapters to be put into monitor mode.
It is a hassle to have to boot into Windows using BootCamp when you want to sniff on a Mac, but that's really the best option out there today. You could do what I do when I get lazy, which is use KisMAC 0.3 with a D-Link DWL-G122 USB adapter (along with Wireshark to view the sniffed frames), but for professional-grade WiFi sniffing the answer for Scott (and anyone else, really) is to lumber through booting into Windows whenever you need to sniff.
I know you are a Mac fan - and I too would like to have the professional grade Wireless LAN software work on my Mac.
ReplyDeleteI have got Wireshark to run on my Mac - but running AirMagnet natively would be fantastic!
Not holding my breath, but still hoping!
What about AirMagnet on the iPad. That's what I really want.
ReplyDelete