Question on IEEE802_11_RADIO

Richard Bejtlich richard_bejtlich at yahoo.com
Sat Feb 28 04:57:17 PST 2004 

--- Bruce M Simpson <bms at spc.org> wrote:
> Don't use monitor mode; it's a misnomer. Try without
> using monitor
> mode and you should see radiotap headers.
> 
> BMS

Hi Bruce,

Without monitor mode I get worse results for
IEEE802_11, but IEEE802_11_RADIO gives the same
results.

<insert card>
orr:/root# ifconfig wi0
wi0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        ether 00:04:e2:29:3b:ba
        media: IEEE 802.11 Wireless Ethernet
autoselect (none)
        ssid ""
        stationname "FreeBSD WaveLAN/IEEE node"
        channel -1 authmode OPEN powersavemode OFF
powersavesleep 100
        wepmode OFF weptxkey 1

When I bring the card up it automatically associates
with the nearest access point. (Is this correct?  I
don't have any scripts, etc. to set this up.)

orr:/root# ifconfig wi0 up
orr:/root# ifconfig wi0
wi0:
flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu
1500
        inet6 fe80::204:e2ff:fe29:3bba%wi0 prefixlen
64 scopeid 0x4 
        ether 00:04:e2:29:3b:ba
        media: IEEE 802.11 Wireless Ethernet
autoselect (DS/11Mbps)
        status: associated
        ssid shaolin 1:shaolin
        stationname "FreeBSD WaveLAN/IEEE node"
        channel 6 authmode OPEN powersavemode OFF
powersavesleep 100
        wepmode OFF weptxkey 1

This looks the same as before:

orr:/root# /usr/local/sbin/tcpdump -n -e -i wi0 -y
IEEE802_11_RADIO -vv
tcpdump: data link type IEEE802_11_RADIO
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: listening on wi0, link-type IEEE802_11_RADIO
(802.11 plus radio information header), capture size
96 bytes
07:47:26.227651 [|802.11]
07:47:26.321380 [|802.11]
07:47:26.325336 [|802.11]

This doesn't look right -- the beacon packets don't
seem to be interpreted correctly:

orr:/root# /usr/local/sbin/tcpdump -n -e -i wi0 -y
IEEE802_11 -vv
tcpdump: data link type IEEE802_11
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: listening on wi0, link-type IEEE802_11
(802.11), capture size 96 bytes
07:47:44.691348 56185us BSSID:00:a0:c5:59:47:d4
SA:00:06:25:45:74:be DA:00:a0:c5:59:47:d4 LLC, dsap
0xb2, ssap 0x0f, cmd 0x00, sap 0e > sap b2 I
(s=0,r=0,R) len=64
07:47:44.791749 56185us BSSID:00:a0:c5:59:47:d4
SA:00:06:25:45:74:be DA:00:a0:c5:59:47:d4 LLC, dsap
0xb3, ssap 0x0f, cmd 0x00, sap 0e > sap b3 I
(s=0,r=0,R) len=64

Only by enabling monitor mode and specifying a channel
do I see beacons as expected:

orr:/root# ifconfig wi0 mediaopt monitor channel 6 up
orr:/root# /usr/local/sbin/tcpdump -n -e -i wi0 -y
IEEE802_11 -vv -c 2
tcpdump: data link type IEEE802_11
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: listening on wi0, link-type IEEE802_11
(802.11), capture size 96 bytes
07:49:50.110446 0us BSSID:00:06:25:5b:21:ab
DA:ff:ff:ff:ff:ff:ff SA:00:06:25:5b:21:ab Beacon
(Alpha) [1.0* 2.0* 5.5 11.0 Mbit] ESS CH: 6
07:49:50.112603 56185us BSSID:00:a0:c5:59:47:d4
SA:00:06:25:45:74:be DA:00:a0:c5:59:47:d4 LLC, dsap
0x53, ssap 0x10, cmd 0x00, sap 10 > sap 53 I
(s=0,r=0,C) len=64

Unfortunately I get the weird RADIO output:

orr:/root# /usr/local/sbin/tcpdump -n -e -i wi0 -y
IEEE802_11_RADIO -vv -c 2
tcpdump: data link type IEEE802_11_RADIO
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: listening on wi0, link-type IEEE802_11_RADIO
(802.11 plus radio information header), capture size
96 bytes
07:50:52.733414 [|802.11]
07:50:52.751514 [|802.11]

Here's what prism2ctl reports after all of this:

orr:/root# prism2ctl wi0
Sleep mode:                             [ Off ]
Suppress post back-off delay:           [ Off ]
Suppress Tx Exception:                  [ Off ]
Monitor mode:                           [ Off ]
LED Test:                               [ ]
Continuous Tx:                          [ ]
Continuous Rx:                          [ Off ]
Signal State:                           [ ]
Automatic level control:                [ Off ]

orr:/root# prism2ctl wi0 -m
orr:/root# prism2ctl wi0
Sleep mode:                             [ Off ]
Suppress post back-off delay:           [ Off ]
Suppress Tx Exception:                  [ Off ]
Monitor mode:                           [ On ]
LED Test:                               [ ]
Continuous Tx:                          [ ]
Continuous Rx:                          [ Off ]
Signal State:                           [ ]
Automatic level control:                [ Off ]

At this point I can use prism2dump, but Tcpdump
doesn't see anything:

orr:/root# prism2dump wi0
prism2dump: listening on wi0
- [ff:ff:ff:ff:ff:ff <- 0:c:41:f6:6c:24 <-
0:c:41:f6:6c:24] 
- port: 7 ts: 300.510715 0:5 10:0 
- sn: 62848 (69:74:59:e7:ac:b0) len: 59 
  - ** mgmt-beacon ** ts: 230891.417994 int: 100
capinfo: ess 
    + ssid: [linksys] 
    + rates: 1.0 2.0 5.5 11.0 18.0 24.0 36.0 54.0 
    + ds ch: 6 
    + dtim c: 0 p: 1 bc: 0 pvb: bfbfea45

Thanks for your help,

Richard
http://www.taosecurity.com

__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools

More information about the freebsd-net mailing list