ath0 "monitor mode" mystery

Mark Moes mark_moes at hotmail.com
Mon Sep 23 12:14:08 UTC 2013 

> 18:56:23.803065 9838362989us tsft 1.0 Mb/s 60dBm tx power antenna 0 2427
> MHz 11g Probe Request () [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit]

That's what you're gonna see if it captures 802.11 frames; you already had it working :)

And a Probe Request is not a Beacon frame, it is sent by a device (laptop/smartphone) when it actively scans for APs. See http://www.wi-fiplanet.com/tutorials/print.php/1447501 


Cheers,
Mark



> Date: Fri, 20 Sep 2013 15:29:34 -0700
> Subject: ath0 "monitor mode" mystery
> From: hiren.panchasara at gmail.com
> To: freebsd-wireless at freebsd.org
> 
> I am trying to enable (what I think is) monitor mode on PicoStation M2HP.
> 
> I am confused though. "man ifconfig" is also showing 2 different "monitor"
> things. I tried both below:
> 
> # ifconfig wlan0 create wlandev ath0
> wlan0: Ethernet address: dc:9f:db:6a:3e:9e
> # ifconfig wlan0 down
> # ifconfig wlan0 monitor
> # ifconfig wlan0 channel 4
> # ifconfig wlan0 up
> #
> # ifconfig wlan0
> wlan0: flags=48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,MONITOR> metric 0
> mtu 1500
>         ether dc:9f:db:6a:3e:9e
>         media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
>         status: no carrier
>         ssid "" channel 4 (2427 MHz 11g)
>         regdomain FCC3 country US indoor ecm authmode OPEN privacy OFF
>         txpower 30 bmiss 7 scanvalid 60 protmode CTS wme burst bintval 0
> #
> 
> And now I get things via:
> # tcpdump -ni wlan0 -y IEEE802_11_RADIO
> wlan0: promiscuous mode enabled
> wlan0: promiscuous mode disabled
> wlan0: promiscuous mode enabled
> tcpdump: data link type IEEE802_11_RADIO
> tcpdump: WARNING: wlan0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus radiotap
> header), capture size 65535 bytes
> 18:56:23.803065 9838362989us tsft 1.0 Mb/s 60dBm tx power antenna 0 2427
> MHz 11g Probe Request () [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit]
> 18:56:23.994159 9838553735us tsft 1.0 Mb/s -75dB signal -96dB noise antenna
> 1 2427 MHz 11g Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
> 18:56:23.995089 9838554678us tsft 1.0 Mb/s -75dB signal -96dB noise antenna
> 1 2427 MHz 11g Probe Request (Y!Office) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0
> Mbit]
> 18:56:23.995979 9838555575us tsft 1.0 Mb/s -75dB signal -96dB noise antenna
> 1 2427 MHz 11g Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
> 18:56:24.002484 9838562077us tsft 1.0 Mb/s -76dB signal -96dB noise antenna
> 1 2427 MHz 11g Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
> 18:56:24.016082 9838576006us tsft 1.0 Mb/s 60dBm tx power antenna 0 2427
> MHz 11g ht/40+ Probe Request () [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
> Mbit]
> 
> But is this really a monitor mode? Not according to tcpdump.
> 
> What we are seeing above are beacons sent out by APs? How do we get probe
> requests sent to APs by devices?
> 
> man tcpdump says:
> 
> -I     Put  the  interface in "monitor mode"; this is supported only on
>               IEEE 802.11 Wi-Fi interfaces, and supported only on some
> operat-
>               ing systems.
> 
>               Note  that  in  monitor mode the adapter might disassociate
> from
>               the network with which it's associated, so that you will not
>  be
>               able to use any wireless networks with that adapter.  This
> could
>               prevent accessing files on a network server, or  resolving
>  host
>               names or network addresses, if you are capturing in monitor
> mode
>               and are not connected to another network with another adapter.
> 
>               This flag will affect the output of the -L flag.   If  -I
>  isn't
>               specified,  only  those  link-layer  types available when not
> in
>               monitor mode will be shown; if -I is specified, only those
> link-
>               layer types available when in monitor mode will be shown.
> 
> So I tried -I,
> 
> # tcpdump -Ii wlan0 -y IEEE802_11_RADIO
> tcpdump: wlan0 is not a monitor mode VAP
> To create a new monitor mode VAP use:
>   ifconfig wlan1 create wlandev ath0 wlanmode monitor
> and use wlan1 as the tcpdump interface
> #
> 
> Okay, lets create wlan1 as suggested:
> 
> # ifconfig wlan1 create wlandev ath0 wlanmode monitor
> wlan1: Ethernet address: dc:9f:db:6a:3e:9e
> # ifconfig wlan1
> wlan1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
>         ether dc:9f:db:6a:3e:9e
>         media: IEEE 802.11 Wireless Ethernet autoselect <monitor>
> (autoselect <monitor>)
>         status: no carrier
>         ssid "" channel 4 (2427 MHz 11g)
>         regdomain FCC3 country US indoor ecm authmode OPEN privacy OFF
>         txpower 30 scanvalid 60 protmode CTS wme burst bintval 0
> #
> 
> See subtle difference between wlan0 and wlan1.
> 
> Still no success (but new error):
> <code>
> # tcpdump -Ii wlan1 -y IEEE802_11_RADIO
> wlan1: promiscuous mode enabled
> tcpdump: data link type IEEE802_11_RADIO
> tcpdump: WARNING: wlan1: no IPv4 address assigned
> ar5416StopDmaReceive: dma failed to stop in 10ms
> AR_CR=0x00000024
> AR_DIAG_SW=0x42000020
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on wlan1, link-type IEEE802_11_RADIO (802.11 plus radiotap
> header), capture size 65535 bytes
> ar5416StopDmaReceive: dma failed to stop in 10ms
> AR_CR=0x00000024
> AR_DIAG_SW=0x42000020
> ar5416StopDmaReceive: dma failed to stop in 10ms
> AR_CR=0x00000024
> AR_DIAG_SW=0x42000020
> ar5416StopDmaReceive: dma failed to stop in 10ms
> AR_CR=0x00000024
> AR_DIAG_SW=0x42000020
> ar5416StopDmaReceive: dma failed to stop in 10ms
> AR_CR=0x00000024
> AR_DIAG_SW=0x42000020
> ar5416StopDmaReceive: dma failed to stop in 10ms
> AR_CR=0x00000024
> AR_DIAG_SW=0x42000020
> ar5416StopDmaReceive: dma failed to stop in 10ms
> AR_CR=0x00000024
> AR_DIAG_SW=0x42000020
> ar5416StopDmaReceive: dma failed to stop in 10ms
> AR_CR=0x00000024
> AR_DIAG_SW=0x42000020
> ar5416StopDmaReceive: dma failed to stop in 10ms
> AR_CR=0x00000024
> AR_DIAG_SW=0x42000020
> ^C
> 0 packets captured
> 0 packets received by filter
> 0 packets dropped by kernel
> ar5416StopDmaReceive: dma failed to stop in 10ms
> AR_CR=0x00000024
> AR_DIAG_SW=0x42000020
> wlan1: promiscuous mode disabled
> #
> 
> I also tried to do mixed version of both wlan0 and wlan1:
> 
> # ifconfig wlan0 destroy
> # ifconfig wlan0 create wlandev ath0 wlanmode monitor
> wlan0: Ethernet address: dc:9f:db:6a:3e:9e
> # ifconfig wlan0 monitor
> #  ifconfig wlan0 channel 4
> # ifconfig wlan0 up
> ar5416PerCalibrationN: NF calibration didn't finish; delaying CCA
> #
> # ifconfig wlan0
> wlan0: flags=48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,MONITOR> metric 0
> mtu 1500
>         ether dc:9f:db:6a:3e:9e
>         media: IEEE 802.11 Wireless Ethernet autoselect mode 11ng <monitor>
>         status: running
>         ssid "" channel 4 (2427 MHz 11g ht/40+) bssid dc:9f:db:6a:3e:9e
>         regdomain FCC3 country US indoor ecm authmode OPEN privacy OFF
>         txpower 30 scanvalid 60 protmode CTS ampdulimit 8k ampdudensity 8
>         shortgi wme burst
> #
> 
> But no success:
> 
> # tcpdump -Ii wlan0 -y IEEE802_11_RADIO
> wlan0: promiscuous mode enabled
> tcpdump: data link type IEEE802_11_RADIO
> tcpdump: WARNING: wlan0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus radiotap
> header), capture size 65535 bytes
> ^C
> 0 packets capturwlan0: promiscuous mode disabled
> ed
> 0 packets received by filter
> 0 packets dropped by kernel
> #
> _______________________________________________
> freebsd-wireless at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-wireless
> To unsubscribe, send any mail to "freebsd-wireless-unsubscribe at freebsd.org"

More information about the freebsd-wireless mailing list