On Second Thought, I Am Into Airpcap... Sometimes
At the risk of sounding like a flip-flopper, I have to reassess my previous post about Airpcap. I was doing some sniffing on a few flights recently and I realized that there are some pretty nice things about CACE Technologies' signature product.
Nine days ago, I was frustrated. After using Wireshark to view WiFi packet dumps from KisMAC for years, I thought that I was finally being upgraded to first class. I had my Airpcap NX, my CACE Pilot and a few days off from my real work to finally become the acolyte of the open source sniffing movement that I've always wanted to be. (O.K., not really.) I spent my time with the CACE Tech Triumvirate and at every turn I became more and more angered. Every standard sniffing activity seemed three steps harder and two times slower than it should have been. Association tracking, retry analysis; you name it. They all were a pain.
I finally gave up and wrote a regrettably titled column citing my displeasure with the whole lot of them. I then tossed the Airpcap NX into my computer bag and figured that was the last time I'd see it for a while.
A few days later, I took a flight on United. Though a joyous experience in most cases due to the extra legroom of Economy Plus (I'm 6'3" with no torso), this flight saw me crammed five rows from the back in a middle seat due to some standby shenanigans. There was no WiFi on-board, which I saw as an opportunity rather than a handicap. I figured I'd do a little sniffing and see who's being naughty by leaving their laptop WiFi enabled on a no-wireless flight.
I fired up my usual Snow Leopard/KisMAC 0.3/DWL-G122/Wireshark combination and commenced sniffing. I scanned channels and I set channels and I refreshed packets and I realized... this sucks! I don't like having to refresh Wireshark to get the latest packets. I don't like not being able to see the signal strength when I see some laptop still sending Probe Requests for "Boingo Hotspot". And I really don't like having to remember to delete dump files after I'm done sniffing so that I don't forget which ones are useful and which ones are junk. In short, I don't like not having my Airpcap.
Luckily, my computer bag was with me at my seat. (Isn't it always, fellow IT travelers?) I booted into Windows, grabbed my Airpcap NX and I was back seeing all of the stuff I was missing by not having that direct capture into WIreshark.
So maybe the Airpcap/Pilot/Wireshark combo can't do what OmniPeek can do. What can? OmniPeek is great and all but as I sat there in 28B I realized that for folks that are committed to Wireshark, having an Airpcap adapter is borderline essential for sniffing WiFi. And here I was poo-poohing it using the title of a banal romantic comedy. What sort of monster had I become?
Well, I'm a contrite monster at this point. I now think that I was too negative about Airpcap NX. It really is a useful tool for using Wireshark. I'm not going to put out positive notices about CACE Pilot, yet -- that one still has a ways to go. But the Airpcap adapters really do offer a dramatic improvement to the WiFi sniffing experience on Wireshark and I'd recommend them for folks who see the cost of OmniPeek or AirMagnet as beyond their range.
Fyi, ther is an alternative to monitor mode packet captures in Windows, Microsoft NetMonitor utilizes the Windows NDIS 6 driver to place adapters in monitor mode. I use it on my Lenovo NetBook all the time, coupled with a $12 Mini PCIe card capable of promiscious, monitor and master mode. NetMon doesn't have some of the nicer features of Wireshark, but it gets the job done nicely.
ReplyDeleteHi Ben.
ReplyDeleteYou said you use a DWL-G122 in Leopard. Can you capture packets in promiscuous mode?? I got one, the Ver C1 but i don't know how it could work in this mode.
Can you help me?
Thanks.