I'm interested in capturing my own WEP and WPA association and authentication traffic so I can study and then understand it.  I set up two laptops, one running BT3 live CD and the other Windows XP with a Netgear WG511T PCMCIA wireless card.

I managed to get the capturing laptop configured and authenticated to my wireless router (WPA).  I also got my second laptop authenticated but didn't see any of the association/authentication packets when I ran Wireshark in BT3.  I set the capturing laptop wireless in promiscuous mode.  This is Intel PRO/Wireless 2200BG.

I ran the test again but didn't authenticate my capturing laptop first.  It didn't make any difference as I didn't see any traffic when the second laptop authenticated.

Finally, I captured traffic when the capturing laptop authenticated.  All I saw were a series of EAPOL frames.  There were no beacons, probes or frames containing the SSID.  I have seen a pcap file of the authentication process so I know that these additional frames should be present.

I just wonder if my Intel Wireless card isn't playing nicely with Wireshark.  Any tips?  I hasten to add that this is for my own education, rather than illicit activity in a coffee shop (etc.)!

Thank you for the guidance.  Your interpretation of the configuration is correct.

I ran lspci -k in BT3 and got the following:


so I tried lspci -v and got the following related to the ethernet and wireless:

I couldn't see anything relating to kernel module or drivers though.

I'll see if I can get BT4 to work.  I suppose my alternative is to get a USB or PCMCIA wireless card which will work.  I'm based in the UK so would prefer to get something here, rather than have to order from the US (with additional shipping charges).

I wondered if the -k switch was used in other versions ... I've managed to get BT4 working and the lspci -k output is:


I'm not even able to get connected to my wireless (WPA) card connected now though!  I'll get back into BT3, copy the entire wpa_supplicant.conf file and try that in BT4.

Unfortunately, the older laptop (the one with the PCMCIA card) won't run BT.  It was designed for W98 (yes, that old) and has 128MB RAM.  I'll try the PCMCIA card in the newer laptop though to see if it will pick up traffic from my wireless router.

BTW, do you have any recommendations for wireless cards (USB or PCMCIA) which will "play" with BT without any hassle?  I'm keen to capture the traffic so I can understand the authentication process.

Having got BT4 working, I tried connecting to my wireless router and could when I used the connection manager so it appears that the driver is correct but I still need to get the wpa_supplicant.conf file sorted.  I set up the second laptop and got it to associate too but nothing was picked up by Wireshark.  This is despite whether it was associated or not and whether it was in promiscuous mode or not.

I'll look into getting a second card from the list that you linked.  I just wonder if it's a problem of my configuration of Wireshark so I might ask on their forum.  I ran Kismet in BT3 (whilst not associated) and it picked up my home network, as expected, without any problems.

UPDATE (and sorry for not feeding back earlier!):

I've been pulling my hair out.   I managed to get a second Netgear WG511T PCMCIA card and all the research that I did led me to believe that it *should* work to collect management frames.  I looked into airmon-ng and issued:

ifconfig wlan0 down
airmon-ng start wlan0

which created a new entry in ifconfig -a (mon0)

I started Wireshark and collected using mon0.  Lo and behold, there were beacons and probes!  I switched back to my original WG511T card and it didn't work so I guess it's been a combination of a faulty card and the lack of my using airmon-ng.  Before you (Ketchup) mentioned this, I assumed that I could change the mode of the card from within Wireshark.

As a non-Linux user, it's been a steep learning curve ... but one which has made me more determined to learn more!

Thanks alucian.  I'm using a live BT4 CD and I'm considering using an old laptop (within the HCL) to load BT4.  I know that I can take an image to restore the laptop should I make any major configuration errors.  I'm pleased that I have a card and appropriate commands which will allow me to collect the traffic that I'll need to learn about the association and authentication process.