[Snort-users] no packets logged on wireless NIC using WinPcap 3.0, winsnort

Ben van der Merwe benm at ...12765...
Mon Feb 14 04:45:14 EST 2005

There used to be a document that listed all the wireless NIC's that 
work/does not work with WinPcap, but unfortunately this link does not exist 
any more (http://home.comcast.net/~jay.deboer/airsnare/supported.htm)

This document is referenced in the faq section of the winpcap home page 
Maybe we should ask 'polito.it' or airsnare to make this document available 
again. We need to know who maintains this document at present.

----- Original Message ----- 
From: "Rich Adamson" <radamson at ...2127...>
To: "Ben van der Merwe" <benm at ...12765...>
Sent: Monday, February 14, 2005 1:36 PM
Subject: Re: [Snort-users] no packets logged on wireless NIC using WinPcap 
3.0, winsnort

> In the win32 environment (can't speak to linux environment), snort still 
> relies
> on the winpcap driver for monitoring traffic. However, not all wireless 
> drivers
> have monitoring support therefor winpcap cannot capture the data flows.
> Orincoco cards do; Linksys does not; not sure about Dlink.
> ------------------------
>> [Is this a 'wireless' limitation or a WinPCap/win32 limitation. Is 'snort 
>> wireless' ok on
> linux ???]
>> Original message:
>> Everything seems ok when I do a 'snort -W':
>> Interface Device  Description
>> -------------------------------------------
>> 1  \Device\NPF_{24284523-9129-4F0E-83A3-FB0731F53D25} (D-Link AirPlus 
>> Xtreme G DWL-G520
> Adapter (Microsoft's Packet Scheduler) )
>> (although I am sure that I also had another eth interface listed when 
>> doing a similar command
> in windump)
>> When I try to log packets with ' snort -b -v -l c:\Snort\log -i 1'
>> I get an empty log file (which is deleted as soon as I stop snort).
>> I have used snort on linux for a while now, but I may be missing 
>> something obvious. I will
> continue scrutinizing README.wireless,
>> README.win32 and the faq in case I am doing something stupid.
>> I have used tcpdump (windump) for a while, but the wireless cards were 
>> not really supported.
>> snort (and winsnort) seem to have good support for wireless cards - is 
>> this due to an
> improvement in WinPcap ?
>> If this is true tcpdump should also have better support for wireless 
>> NIC's.
>> Finally, what is meant by a wirleless card that is in "RFMON" mode ? Is 
>> this not the default
> setting ? (How can I change this ?)
>> Some additional info on my installation:
>> 1) snort version: Version 2.3.0RC2-ODBC-MySQL-FlexRESP-WIN32 (Build 9)
>> 2) WinPcap 3.0
>> 3) Windows XP Home Service Pack 2 (with automatic updates)
>> (I also had to change the permissions on my c:\snort directories before 
>> the empty log file was
> created.)
>> Thank you.
>> Ben
> ---------------End of Original Message-----------------

More information about the Snort-users mailing list