Packet sniffing promiscuously on MacBook Air
I'm on a MacBook air, and I got a book form the library about wireless network security. I've been following pretty diligently, but it seems like no matter what I do I cannot capture packets of other devices on my network.
I've tried using WireShark, with the "promiscuous" box checked, on my en0 interface. (en0 is the only internet interface on a macbook air, the other options being loopback, and peer to peer).
I've added the wireless SSID and password to wireshark, and applied that change, I also tried disconnecting and reconnecting my iPhone to the network several times, hoping to pick up the traffic from there.
The last try: I used the raw tcpdump command as root, with and without the
-pmeans run in promiscuous mode), and then analyzed the packets from the pcap file, which there were plenty of, just not any from any other machines.
Clearly there is something I am missing, maybe some kind of internal configuration deal. I would really appreciate help on this, it would make a great demo for job interviews, and would be an awesome skill to have.
What you're looking for is "radio monitor mode". The drivers found in many OSes do not support it. (esp. in windows) There may be ways to get a Mac into the correct mode, but the wireless hardware has to support it. (as we found with thinkpads, they just won't do it.)
The drivers of Wireless card should support monitor mode. An OS pre-loaded with such drivers and wide used solution is Linux Backtrack. Why you don't try a live version of Backtrack ? I can get you the command to enable it. By the way, normally in Windows you should buy a specific Wireless USB Dongle Like http://bit.ly/12UFG4Z
I've tried using WireShark, with the "promiscuous" box checked, on my en0 interface.
You say "en0", so you're running OS X (rather than, for example, Linux), so the "monitor mode" checkbox should work, and you're on a MacBook Air, so that's your AirPort interface, i.e. it's an 802.11 interface. "Promiscuous" mode doesn't necessarily work the way you'd want on 802.11 interfaces, so you need "monitor" mode.
Try checking the monitor mode checkbox, but note that, in monitor mode, traffic won't be decrypted if you're on a "protected" (WEP or WPA/WPA2) network; see the Wireshark Wiki "How to decrypt 802.11" page for details on how to decrypt the traffic.
If you want to use a command-line tool such as tcpdump or TShark, use the
-Icommand-line flag to turn monitor mode on.
So if an 802.11 interface doesn't work the way I want it to, what interface will allow me to achieve the desired results? I only ask because I don't really want traffic from a billion wifi networks if I'm just looking for one signal.
"So if an 802.11 interface doesn't work the way I want it to" I didn't say the interface won't work the way you want, I said *promiscuous mode* won't work the way you want - it won't actually be "promiscuous" in the sense of capturing traffic to or from other machines. If you want to capture Wi-Fi traffic, that's 802.11 traffic, so you need an 802.11 interface, and you need monitor mode, with all its limitations. You'd have to use a capture filter if you want to limit the traffic you see.
Is there a way I can limit monitor mode to just traffic on my network, and then decrypt the 802.11 frames from there?
Not at the radio layer, so you can't change the way monitor mode behaves; you'd need a capture filter. You can't do that for control frames, but for management and data frames, try using a capture filter specifying that one of: the source address, destination address, receiver address, or the transmitter address must be the MAC address of your access point.