Alright, I'm back in EQ after a long vacation, and my poor hub has all but given up. I'm trying to get ShowEQ working with the wireless network here, and having very little luck at all. I know my wireless card, Netgear WG511 with prism54 drivers, can switch to Monitor mode and sniff; I've tested it with Wireshark and can see the traffic. When using ShowEQ, running 'showeq -i eth1' to get the right network adapter, I see a normal startup followed by a message like
Client Detected 3.0.0.0 but it never gets any further then that. No zone detection, and no skittles. Below is what I normally do to put the card in sniffing mode, and what let's me pick up the other wireless traffic generated by my EQ machine, but which doesn't allow ShowEQ to work. I get the feeling I'm skipping a crucial step, but I just can't remember what it might be.
iwconfig eth1 essid linksys
iwconfig eth1 channel 6
iwconfig eth1 mode monitor
ifconfig eth1 up
showeq -i eth1
Any guidance on this?

I don't have any experience with ShowEQ or linux, but if your in monitor mode you probably have to tell ShowEQ what IP or MAC to listen on. Just browsing ShowEQ source code it looks like IP and MAC are set in the XML preferences file.

I do not think you are going to get it to work.

A wireless router would be a switch not a hub. Your pc that you are trying to monitor from wouldnt see the packets.

The only way I would see this working would be this way.


Wireless router
|
laptop - computer

If you have it this way


Wireless router
| |
laptop computer

I do not see a way for it to work.

The packets have to be sent to the laptop or it wont see them since switches dont usually broadcast other packets.

Actually what he is referring to is catching the packets over the air. In monitor mode you can make your network card pass all the packets it sees even if they aren't addressed to you.

When I first replied I thought you were referring to promiscuous mode. My wireless card on my laptop doesn't support monitor mode so my knowledge is kind of limited. I know monitor mode is used for cracking wireless encryption. So if you are running an encrypted network ShowEQ will only see the encrypted packets.

I would try promiscuous mode. ShowEQ enables it for you by default. The limitation on promiscuous mode is that you can only see packets on the network you are connected to. Also, on my laptop even in promiscuous mode I can only see packets not addressed to me on an unencrypted network. I don't think that is universal though. It could be Windows filtering those packets as well. Easy enough to test with Wireshark anyway.

The only other potential problem I see is that ShowEQ may be filtering packets not sent to you. It looks like if you set your IP to 127.0.0.1 ShowEQ doesn't filter packets based on IP/MAC. If you specify an IP it will filter based on that, and if you specify a MAC it will ignore your IP setting and only filter based on MAC. It looks like you can specify them as command line arguments as well as in the XML file.

You should be able to just do.


showeq -ip-address 192.168.youget.theidea
or
showeq -mac-address 00:00:00:00:00:00

When I first replied I thought you were referring to promiscuous mode. My wireless card on my laptop doesn't support monitor mode so my knowledge is kind of limited. I know monitor mode is used for cracking wireless encryption. So if you are running an encrypted network ShowEQ will only see the encrypted packets.

I would try promiscuous mode. ShowEQ enables it for you by default. The limitation on promiscuous mode is that you can only see packets on the network you are connected to. Also, on my laptop even in promiscuous mode I can only see packets not addressed to me on an unencrypted network. I don't think that is universal though. It could be Windows filtering those packets as well. Easy enough to test with Wireshark anyway.
Wireshark picks up the 802.11 packets. I can pick up my IM conversations, HTTP data, and what I suspect is the EQ data as well. I don't have an old packet dump to compare against, so I'm not certain that the data I see if EQ, but the timing looks right.

ShowEQ actually does pick up something, checking the network diagnostics window, I am getting client to world, client to zone, and zone to client packets. What appears to be missing, and possibly why I'm not getting anything on the screen, is the world to client packets.

The only other potential problem I see is that ShowEQ may be filtering packets not sent to you. It looks like if you set your IP to 127.0.0.1 ShowEQ doesn't filter packets based on IP/MAC. If you specify an IP it will filter based on that, and if you specify a MAC it will ignore your IP setting and only filter based on MAC. It looks like you can specify them as command line arguments as well as in the XML file.

You should be able to just do.


showeq -ip-address 192.168.youget.theidea
or
showeq -mac-address 00:00:00:00:00:00


I tried filtering based on MAC, again I got the 'Info: Client Detected 3.0.0.0' message, but no zone detection. Zoning after log in hasn't helped this.

As for the difference between promisc mode and monitor mode in wireless cards, what I've read hasn't indicated much of a difference. Some cards might only go into promisc mode and search packets from the network they are on, but with the card in monitor mode it should be picking up all packets traversing that channel (plus and minus 3 channels as well). Wireshark indicates that it is picking up the packets, something is just getting in the way of ShowEQ processing them. Guess I'll have to find an old packet dump, or rig the hub to a working state, and see what difference their is between the data that is traveling over the wire and over the radio.

I had thought, from searching the forums, that I saw mentions of others getting ShowEQ over wifi working, and thought I was just missing something simple. Oh well, challenges are fun too.

I've managed to get this working; furthermore, it works with whatever encryption settings you please (I use WPA) - meaning you won't have to play EQ on an unsecured network just to get SEQ working.

I got it working by poisoning the ARP caches of both my router and EQ machine. The arpspoof tool, part of the dsniff distribution, should help.

Also, make sure you turn kernel IP forwarding on.

k