Jeff Liebermann <firstname.lastname@example.org> wrote:
> On 14 May 2011 17:21:57 GMT, Axel Hammerschmidt <email@example.com>
> >Aaron Leonard:
> >> Also I would be interested in hearing whether anyone has an
> >> adapter / driver that appears to successfully sniff 802.11n frames
> >> using Netmon (unfortunately, the Intel 11n adapters do not.)
> >How do I tell from looking at the sniffed packets, that they really
> >are 802.11n?
> Good questions. If you sniff and get nothing, it's 802.11n. That's
> because the data from a spatial diversity "N" radio goes via two or
> more paths. Each path contains part of the data, each of which is
> slightly time shifted, which is then reassembled by the receiver. In
> order to sniff such multiple paths, the sniffer would need to hear all
> the various paths, (which can be at different rates), hope that there
> are no collisions or inter-symbol interference, and do quite a bit of
> guesswork in order to get usable data. I don't think this is going to
Does 802.11n use beam forming?
Anyway, I have the computer connected to the AP right next to the
computer doing the capture.
> >BTW, why are you using Wireshark when NM3.4 has easy to write
> Perhaps because Wireshark can decode wireless packets directly, while
> Netmon 3.4 relys on an external protocol decoder, err... parser?
> (Note: I haven't tried this decoder/parser/whatever yet).
Here are two captures http://users.cybercity.dk/~ds487543/Datatid.cap http://users.cybercity.dk/~ds487543/Datatid20110514.cap
The first is a capture from an 802.11b AP done November 23rd last year.
I seem to remember using a Thinkpad, connected to the AP.
The second was captured yesterday, a Macbook Pro connected to the
Netgear WHDE111, setup running 802.11n only.
Both captures were done on the same Macbook Early 2009 running NM3.4 in
Monitor Mode under Vista.
The first thing one notices is that the second .cap file is much bigger
- almost 4x bigger - than the first, although both sessions connect to www.datatid.dk
and perform two login attempts and then close the
You'll also notice, that all frames are 802.11n, but i think that's
because the wireless card in the sniffing computer is 802.11n.
There are malformed packets in both .cap files.
The login attempts can be found by using a filter - that looks for
But only the attempts in the first .cap can be found using NM3.4. I'm
not sure why?
Using Wireshark 1.4.1 (Mac OS X 10.5.8 - X Window System) the login
attempt can be found in both .cap files.
So I think Wireshark is capable of doing som reassembling that NM3.4
The username is: pladder, and the password is: balle. This is for
demonstration only. I don't have an account at the site - that belongs
to a Danish computer magasine.