promiscuous vs monitor mode in 802.11

Question

I've been reading up on promiscuous mode and monitor mode as they relate to 802.11 networks. I understand the difference, which is explained here:

What is the difference between Promiscuous and Monitor Mode in Wireless Networks?

The definition is pretty simple. One you are associated with an AP, the other you are not.

My question is, what is the benefit of using promiscuous mode over monitor mode? When would you use one instead of the other?

If I want to monitor traffic between an AP and a device, both modes give me the capability. I feel like I am missing something that promiscuous mode allows you to do that you can't with monitor. I know monitor mode does not allow you to check CRCs, but still don't see a real advantage to using promiscuous mode beyond that.

score 7 · Accepted Answer · answered Jan 30 '15 at 23:26

In "Promiscous mode", the driver still outputs standard ethernet frames belonging to the one wireless network you are currently associated to (identified by the BSSID). Possibly the device will only dump packets from the AP to wireless devices, but not packets from wireless clients to the AP, as receiving packets from non-AP devices is not used in AP client mode.

In "monitor mode", you capture packets from all the networks operating on a chosen channel (possibly even adjacent channels - there is a reason that 802.11 DSSS beacons contain the channel number in the payload), and the driver does not output plain ethernet, but needs to output more headers (there are 3 addresses in a 802.11 header, instead of just 2 addresses in the 802.3 ethernet headers). Only special wireless monitoring software is able to process packets in the format dumped by the driver in monitor mode.

So monitor mode is advantageous if you want to really see what's going on, while promiscous mode is there for compatibility with standard ethernet network sniffing tools that can't handle the extended 802.11 frame format. If the tool you want to use supports monitor mode, use it. Use promiscous mode only as backup.

Furthermore, some wirelesse driver/hardware allows your device to send completely arbitrary packets while in monitor mode - this is called packet injection.

Wireshark can process packets recorded in monitor mode. – Matthias Braun Jan 19 '23 at 19:56 — Matthias Braun, Jan 19 '23 at 19:56

score 6 · Answer 2 · answered Feb 10 '15 at 21:28

In addition to what Michael Karcher said, monitor mode has the advantage of not having to be associated with the AP. This makes it possible to be completely invisible, and to sniff packets on a network you don't have the password for. In promiscuous mode you have to associate with the AP, so your're sending out packets. Monitor mode can be completely passive.

In addition, monitor mode allows you to find hidden SSIDs. SSIDs aren't broadcast by the AP, but they are broadcast by the client.

score 0 · Answer 3 · answered Feb 10 '15 at 19:39

0

Packets captured in Monitor Mode will most likely be (Layer 2) encrypted with WPA or WEP. Wireshark can decrypt these packets when properly configured with SSID/passphrase, if properly configured with SSID and passphrase of the AP. Additionally, the EAPOL handshake packets must be observed by Wireshark in order to decrypt these packets.

answered Feb 10 '15 at 19:39

Magnumb

1

and how does this differ from promiscuous mode? – schroeder Feb 10 '15 at 19:41
In promiscous mode, everything specific to WLAN is hidden from the monitoring tool. So you only get to see packets that were succesfully decrypted. – Michael Karcher Feb 10 '15 at 21:22

promiscuous vs monitor mode in 802.11

3 Answers3

Linked