[Snort-users] no packets logged on wireless NIC using WinPcap 3.0, winsnort

Ben van der Merwe benm at ...12765...
Mon Feb 14 04:45:14 EST 2005


There used to be a document that listed all the wireless NIC's that 
work/does not work with WinPcap, but unfortunately this link does not exist 
any more (http://home.comcast.net/~jay.deboer/airsnare/supported.htm)

This document is referenced in the faq section of the winpcap home page 
(http://winpcap.polito.it/misc/faq.htm#Q-16).
Maybe we should ask 'polito.it' or airsnare to make this document available 
again. We need to know who maintains this document at present.


----- Original Message ----- 
From: "Rich Adamson" <radamson at ...2127...>
To: "Ben van der Merwe" <benm at ...12765...>
Sent: Monday, February 14, 2005 1:36 PM
Subject: Re: [Snort-users] no packets logged on wireless NIC using WinPcap 
3.0, winsnort


> In the win32 environment (can't speak to linux environment), snort still 
> relies
> on the winpcap driver for monitoring traffic. However, not all wireless 
> drivers
> have monitoring support therefor winpcap cannot capture the data flows.
> Orincoco cards do; Linksys does not; not sure about Dlink.
>
> ------------------------
>
>> [Is this a 'wireless' limitation or a WinPCap/win32 limitation. Is 'snort 
>> wireless' ok on
> linux ???]
>> Original message:
>>
>> Everything seems ok when I do a 'snort -W':
>> Interface Device  Description
>> -------------------------------------------
>> 1  \Device\NPF_{24284523-9129-4F0E-83A3-FB0731F53D25} (D-Link AirPlus 
>> Xtreme G DWL-G520
> Adapter (Microsoft's Packet Scheduler) )
>>
>> (although I am sure that I also had another eth interface listed when 
>> doing a similar command
> in windump)
>>
>> When I try to log packets with ' snort -b -v -l c:\Snort\log -i 1'
>> I get an empty log file (which is deleted as soon as I stop snort).
>> I have used snort on linux for a while now, but I may be missing 
>> something obvious. I will
> continue scrutinizing README.wireless,
>> README.win32 and the faq in case I am doing something stupid.
>> I have used tcpdump (windump) for a while, but the wireless cards were 
>> not really supported.
>> snort (and winsnort) seem to have good support for wireless cards - is 
>> this due to an
> improvement in WinPcap ?
>> If this is true tcpdump should also have better support for wireless 
>> NIC's.
>> Finally, what is meant by a wirleless card that is in "RFMON" mode ? Is 
>> this not the default
> setting ? (How can I change this ?)
>>
>> Some additional info on my installation:
>> 1) snort version: Version 2.3.0RC2-ODBC-MySQL-FlexRESP-WIN32 (Build 9)
>> 2) WinPcap 3.0
>> 3) Windows XP Home Service Pack 2 (with automatic updates)
>> (I also had to change the permissions on my c:\snort directories before 
>> the empty log file was
> created.)
>>
>> Thank you.
>> Ben
>>
> ---------------End of Original Message-----------------
>
> 





More information about the Snort-users mailing list