atheros card and radiotap headers

Luca Micali luca.micali at gmail.com
Mon May 16 02:58:48 PDT 2005


Hi all,
I have really big problems with radiotap-enabled captures, specially
with atheros card/driver.

Let's proceed. My test system is a fujitsu p7010, and FreeBSD 5.4-RELEASE

[root at dagger.sunspot.org] # uname -a
FreeBSD dagger.sunspot.org 5.4-RELEASE FreeBSD 5.4-RELEASE #1: Fri May
13 20:56:25 CEST 2005    
root at dagger.sunspot.org:/usr/src/sys/i386/compile/DAGGER  i386

and my test card is a NetGear WG511T, here follows a snippet from
dmesg and related sysctl variables:

[root at dagger.sunspot.org] # dmesg | grep ^ath0
ath0: <Atheros 5212> mem 0xd0210000-0xd021ffff irq 11 at device 0.0 on cardbus0
ath0: mac 5.6 phy 4.1 5ghz radio 4.6
ath0: Ethernet address: 00:09:5b:92:ec:80
ath0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
ath0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps
24Mbps 36Mbps 48Mbps 54Mbps
[root at dagger.sunspot.org] # sysctl -a | grep -E '(^hw|^dev).ath'
hw.ath.hal.swba_backoff: 0
hw.ath.hal.sw_brt: 10
hw.ath.hal.dma_brt: 2
hw.ath.hal.version: 0.9.6.3
hw.ath.dump:
hw.ath.debug: 0
hw.ath.regdomain: 0
hw.ath.countrycode: 0
hw.ath.outdoor: 1
hw.ath.calibrate: 30
hw.ath.dwell: 200
dev.ath.0.%desc: Atheros 5212
dev.ath.0.%driver: ath
dev.ath.0.%location: slot=0 function=0
dev.ath.0.%pnpinfo: vendor=0x168c device=0x0013 subvendor=0x1385
subdevice=0x4b00 class=0x020000
dev.ath.0.%parent: cardbus0


The WG511T works good in BSS and IBSS modes with pretty decent FTP
peaks of 2.80 MB/s, but when it goes in monitor mode it receives a lot
of noise and pcap enabled applications show up a lot of "malformed
packets":

[root at dagger.sunspot.org] # tethereal -i ath0 -y IEEE802_11_RADIO
Warning:  Couldn't obtain netmask info (ath0: no IPv4 address assigned).
Capturing on ath0
  0.000000              ->              IEEE 802.11 Unrecognized
(Reserved frame)
  0.070546  XXX.XX.5.57 -> XXX.XX.255.255 BROWSER Host Announcement
XXXXXX280016, Workstation, Server, NT Workstation, Potential Browser
  0.131467 XXX.XX.4.105 -> 255.255.255.255 UDP Source port: 2301 
Destination port: 2301
  0.141319 3comEuro_d5:b9:b8 -> Broadcast    IEEE 802.11 Beacon frame,
SSID: "............"[Malformed Packet]
  0.192535  XXX.XX.1.55 -> XXX.XX.255.255 NBNS Name query NB PRINTERS<00>
  0.221540  XXX.XX.1.30 -> Broadcast    ARP Who has XXX.XX.7.55?  Tell
XXX.XX.1.30
adns warning: sendto failed: Network is unreachable (NS=XXX.XXX.2.12)
  0.237164  XXX.XX.1.30 -> Broadcast    ARP Who has XXX.XX.4.234? 
Tell XXX.XX.1.30
  0.243721 3comEuro_d5:b9:b8 -> Broadcast    IEEE 802.11 Beacon frame,
SSID: "............"[Malformed Packet]
  0.292573 XXX.XX.4.212 -> Broadcast    ARP Who has XXX.XX.1.10?  Tell
XXX.XX.4.212
adns warning: sendto failed: Network is unreachable (NS=XXX.XXX.2.12)
  0.325725  XXX.XX.1.11 -> Broadcast    ARP Who has XXX.XX.7.37?  Tell
XXX.XX.1.11
adns warning: sendto failed: Network is unreachable (NS=XXX.XXX.2.12)
  0.346129 3comEuro_d5:b9:b8 -> Broadcast    IEEE 802.11 Beacon frame,
SSID: "............"[Malformed Packet]
  0.350925 HewlettP_7c:ab:31 -> HP           LLC U P, func=TEST; SNAP,
OUI 0x00805F (Unknown), PID 0x0002
  0.351848 XXX.XX.255.115 -> Broadcast    ARP XXX.XX.255.115 is at
00:0b:46:01:34:80
adns warning: sendto failed: Network is unreachable (NS=XXX.XXX.2.12)
  0.382862 00000002.0030c12f2eff -> 00000002.ffffffffffff IPX SAP
General Response
  0.384205 00000002.0030c12f2eff -> 00000002.ffffffffffff IPX SAP
General Response
  0.386566 XXX.XX.6.125 -> XXX.XX.255.255 BROWSER Host Announcement
XXXXXXFI008, Workstation, Server, SQL Server, NT Workstation,
Potential Browser
  0.448530 3comEuro_d5:b9:b8 -> Broadcast    IEEE 802.11 Beacon frame,
SSID: "............"[Malformed Packet]
  0.473888  XXX.XX.1.10 -> Broadcast    ARP Who has XXX.XX.7.98?  Tell
XXX.XX.1.10
adns warning: sendto failed: Network is unreachable (NS=XXX.XXX.2.12)
  0.653333 3comEuro_d5:b9:b8 -> Broadcast    IEEE 802.11 Beacon frame,
SSID: "............"[Malformed Packet]

I see that here there is just one really noisy packet (the first one),
if they could be helpful I could capture a lot more of them this
evening.

There's another interesting thing is that launching kismet with
radiotab_fbsd_b and setting debug.ieee80211 to 1, machine says:

[...]
ieee80211_newstate: SCAN -> SCAN
ieee80211_newstate: SCAN -> INIT
ieee80211_newstate: INIT -> RUN
ieee80211_newstate: invalid transition
ieee80211_newstate: RUN -> INIT
ieee80211_newstate: INIT -> RUN
ieee80211_newstate: invalid transition
ieee80211_newstate: RUN -> INIT
ieee80211_newstate: INIT -> RUN
ieee80211_newstate: invalid transition
ieee80211_newstate: RUN -> INIT
ieee80211_newstate: INIT -> RUN
ieee80211_newstate: invalid transition
ieee80211_newstate: RUN -> INIT
ieee80211_newstate: INIT -> RUN
ieee80211_newstate: invalid transition
ieee80211_newstate: RUN -> INIT
ieee80211_newstate: INIT -> RUN
ieee80211_newstate: invalid transition
[...]

until i shutdown kismet, but maybe this is a kismet bug in channel hopping.
enabling hw.ath.debug it says:

ath_stop: invalid 0 if_flags 0x48842
ath_newstate: SCAN -> INIT

Is this a known bug? How can i fix this?

Thanks in advance and sorry for my poor english,
Luca Micali



####### KERNEL CONFIG, what you don't see here is loaded as kld
machine         i386
cpu             I686_CPU
ident           DAGGER

options         SCHED_4BSD

options         INET
options         INET6

options         FFS
options         SOFTUPDATES
options         UFS_ACL
options         UFS_DIRHASH

options         NFSCLIENT
options         NFSSERVER

options         LIBICONV
options         EICON_DIVA

options         MSDOSFS
options         MSDOSFS_LARGE
options         MSDOSFS_ICONV
options         NTFS
options         NTFS_ICONV

options         CD9660
options         CD9660_ICONV

options         UDF
options         UDF_ICONV

options         PROCFS
options         PSEUDOFS

options         COMPAT_43

options         SYSVSHM
options         SYSVMSG
options         SYSVSEM
options         _KPOSIX_PRIORITY_SCHEDULING

options         KBD_INSTALL_CDEV

device          apic

device          isa
device          eisa
device          pci

device          ata
device          atadisk
device          atapicam
options         ATA_STATIC_ID

device          uhci
device          ehci
device          usb

device          scbus
device          da
device          cd
device          pass

device          atkbdc
device          atkbd
device          psm

device          vga

device          sc
device          splash
options         SC_PIXEL_MODE

device          agp

device          npx

device          apm
device          acpi

device          pty
device          loop
device          mem
device          io
device          random
device          ether
device          ppp
device          tun
device          bpf
device          md


More information about the freebsd-questions mailing list