Hello. I have an HP Laptop I bought not too long ago running Windows 8 and I was wondering if there are windows drivers out there for my Qualcomm Atheros AR9485 802.11b/g/n WiFi Adapter that Wireshark could make use of to put the card into promiscuous or monitor mode. First of all is there a difference between promiscuous and monitor mode or are they two terms for the same thing? I am certain that my Atheros WiFi NIC has support for promiscuous mode built into the hardware, but most windows drivers don't implement it. It has been suggested that I try using Winpcap, but Winpcap is installed along with Wireshark and Wireshark on my Windows 8 laptop is unable to throw the card into promiscuous mode. If there are windows drivers that would allow me to do this that Wireshark can use that'd be great. If I have to download a different packet sniffer using its own custom drivers to get use of promiscuous mode that's alright I guess. I am aware, and I know, that most Linux distributions, such as Backtrack, can do it no problem, but if I could get it working under Windows 8 I would really like to. Any help would be greatly appreciated. Thanks.
Posted 27 December 2013 - 09:42 PM
Because of NDIS, the only way (i know of) to get a Windows WiFi chipset in monitor is Airpcap with an Airpcap adapter. I have one, but linux with an Alfa USB is much better and cheaper. That can be run in a Linux VM as well.
I never had much luck with Windows, Promiscuous mode, and Wifi. I know most Broadcom chipsets will do it. As will Windows drivers for the old Prism 2.5 chipset. The Prism 2.5 is 802.11 B only. Not sure of newer Broadcom with A/B/G/N chipsets either (that's A as in 802.11 N on 2.4 & 5.2 not old 802.11 A).
You can always ARP-Spoof the entire broadcast domain. But that can cause a lots of trouble on networks with a lot of hosts. Or if your computer is too under-powered to process all the traffic.
Posted 28 December 2013 - 12:20 AM
I know this is gonna sound absolutely absurd, especially when you consider that achieving promiscuous/monitor mode in Linux is not difficult at all, but I may actually go as far as to write my own packet sniffer that makes use of custom drivers written myself. I have always wanted to dabble some in learning assembly (I know a little x86 already), and teach myself how to do some low-level hardware programming aimed at certain devices. I guess now I have a reason to. Just wonder how long it'll take me. I think maybe I will attempt it over the summer when I will have an extended break from college courses.
Edited by vindy, 28 December 2013 - 12:21 AM.
Posted 28 December 2013 - 12:26 AM
I just hope I don't run into some kind of trouble; like Windows 8 refusing to run my custom self-written drivers because it can't identify them. I was reading something just recently somewhere talking about how new versions of Windows (maybe it was Vista, I can't recall) will not accept certain drivers for some devices if they are not Microsoft signed. Guess I'll just have to cross my fingers, or find out how to forge Microsoft signatures on software.
Posted 28 December 2013 - 12:57 AM
They do not need to be signed. The user will get a warning, stating they are not signed. They will be presented with an option to either install them, or skip installation.
You might be thinking Patch Guard, starting with Vista 64-bit. Kernel Patching is just the term used, not like patching a Linux Kernel. It basically blocks low-level access to kernel services. Drivers were unaffected.
In the past I've wondered why no Windows drivers could do monitor mode. It is because of NDIS. All windows adapters use it so they can bind more than one protocol to a single adapter. I guess the low-level functions make it difficult. Air-Pcap uses it's own networking subsystem, not built into Windows.
Edited by tekio, 28 December 2013 - 01:01 AM.
BinRev is hosted by the great people at Lunarpages!