I'm no expert, far from it.  So I could be very very wrong.  If so, I'm sure somebody will correct me.  But, I don't believe disabling DHCP makes you to much more secure.  It probably just adds a couple more steps for an intruder to get a full connection.  The IP range, I think, only relates to the DHCP.  You could apply a static address outside of that range, as long as it is with in the proper subnet.  Again, just a reminder, I'm probably wrong here.  But I think you should be able to sniff some broadcast packets that would give an attacker a hint at the subnet, which would give them a green light to set their own IP.  As long as I'm not blindingly wrong here, Wireshark should be able to do that for you.  You won't get the IP range, because it's not being used.

I would "connect" like you have been then start sniffing, and leave it sniffing for a while.  Disconnect and reconnect your other machine, then go play around on the net for a little bit.  I think you should be able to sniff a broadcast ARP request packet, even if you don't have an IP.

I hope I gave enough warning that this could all be completely wrong.  It's not something I've tried or tested.  Just a theoretical, semi-educated guess.

If I find some extra time in the next day or two, I'll try to test it out on my lab and see if anything I said was true.

Use Kismet. With no IP address (and guessing could take a while), you're not on the same subnet, so sniffing with Wireshark won't work. You need to pick it out of the air. Put your wireless card into monitor mode, open Kismet, lock in on the channel and start sniffing. It's built into BackTrack, so that should help.

Search Google for "kismet sniff ip address"

Hope this helps,
Don

Since Ketchup was a little faster than me, I'll also offer up this tidbit. Since this is passive, it will only report on IPs it hears. Therefore, it will NOT give you the range of possible IP addresses. It will only give you the IP addresses it was successfully able to pick out of the air.

Don