I'm trying to determine the difference between capturing 802.11 frames in the following ways on OSX (10.8.5). It's a bit esoteric, but I use "Option 2" to capture frames for later analysis, and am wondering if I'm missing something.
Option 1: use "airportd":
$sudo /usr/libexec/airportd en0 sniff
Option 2: use "airport" followed by tcpdump:
sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=
sudo tcpdump -I -P -i en0 -w /tmp/capture.pcap (or alternatvely eliminate the -w and watch packets real-time).
From what I can tell:
Both commands, according to the wifi icon on OSX, put the interface into 'monitor' mode.
Both commands output a pcap file that is readable in both wireshark/tcpdump & Eye PA.
Both commands appear to capture management, control and data frames.
The rub:
Option 1 disconnects you from the network. This is expected, when putting an interface into 'monitor' mode.
Option 2 does NOT disconnect you, provided you've set the channel to the same channel your currently connected to. This has a distinct advantage of keeping your connection up while capturing in monitor mode.
My question: Option 2 does not seem like it should work, or more specifically, it does not seem like I should be able to remain connected while also capturing frames in monitor mode. On a wired NIC, you can be 'promiscuous' and still send frames, though I didn't think the same was true for wireless NIC. I'm questioning the validity of capturing frames w/ Option 2?