Re: tcpdump for 'disassoc' not supported
Right on. It should be -y IEEE802_11 to see dissociations, though. IEEE802_11_RADIO just gives scan results. On Fri, Mar 22, 2024 at 4:33 PM Peter Hessler wrote: > > pflog does not monitor the RADIO. They are not Layer 3 packets, and are > not seen by pf. > > > On 2024 Mar 22 (Fri) at 16:25:08 +0500 (+0500), ofthecentury wrote: > :Thanks. This does work on an interface, but not on -r /var/log/pflog? > : > :On Fri, Mar 22, 2024 at 3:54 PM Stefan Sperling wrote: > :> > :> On Fri, Mar 22, 2024 at 03:39:57PM +0500, ofthecentury wrote: > :> > I am getting wireless disassociation attacks. > :> > I wanted to look at the packets via: > :> > `tcpdump -nettt -I -i athn0 -s 256 > :> > type mgt subtype disassoc` > :> > but I get an error: > :> > "tcpdump: type not supported on linktype 0x1" > :> > Should work according to man tcpdump. > :> > > :> > > :> > :> Works only with tcpdump -y IEEE802_11_RADIO > : > > -- > To err is human, to moo bovine.
Re: tcpdump for 'disassoc' not supported
On Fri, Mar 22, 2024 at 04:25:08PM +0500, ofthecentury wrote: > Thanks. This does work on an interface, but not on -r /var/log/pflog? You cannot log wifi management frames in PF because PF does not operate at the wifi layer. There is hostapd(8) which and can do some interesting things with these frames. To avoid deauth attacks there is ifconfig nwflag stayauth. The proper fix would be management frame protection but this has not been implemented (yet?).
Re: tcpdump for 'disassoc' not supported
pflog does not monitor the RADIO. They are not Layer 3 packets, and are not seen by pf. On 2024 Mar 22 (Fri) at 16:25:08 +0500 (+0500), ofthecentury wrote: :Thanks. This does work on an interface, but not on -r /var/log/pflog? : :On Fri, Mar 22, 2024 at 3:54 PM Stefan Sperling wrote: :> :> On Fri, Mar 22, 2024 at 03:39:57PM +0500, ofthecentury wrote: :> > I am getting wireless disassociation attacks. :> > I wanted to look at the packets via: :> > `tcpdump -nettt -I -i athn0 -s 256 :> > type mgt subtype disassoc` :> > but I get an error: :> > "tcpdump: type not supported on linktype 0x1" :> > Should work according to man tcpdump. :> > :> > :> :> Works only with tcpdump -y IEEE802_11_RADIO : -- To err is human, to moo bovine.
Re: tcpdump for 'disassoc' not supported
Thanks. This does work on an interface, but not on -r /var/log/pflog? On Fri, Mar 22, 2024 at 3:54 PM Stefan Sperling wrote: > > On Fri, Mar 22, 2024 at 03:39:57PM +0500, ofthecentury wrote: > > I am getting wireless disassociation attacks. > > I wanted to look at the packets via: > > `tcpdump -nettt -I -i athn0 -s 256 > > type mgt subtype disassoc` > > but I get an error: > > "tcpdump: type not supported on linktype 0x1" > > Should work according to man tcpdump. > > > > > > Works only with tcpdump -y IEEE802_11_RADIO
Re: tcpdump for 'disassoc' not supported
On Fri, Mar 22, 2024 at 03:39:57PM +0500, ofthecentury wrote: > I am getting wireless disassociation attacks. > I wanted to look at the packets via: > `tcpdump -nettt -I -i athn0 -s 256 > type mgt subtype disassoc` > but I get an error: > "tcpdump: type not supported on linktype 0x1" > Should work according to man tcpdump. > > Works only with tcpdump -y IEEE802_11_RADIO
tcpdump for 'disassoc' not supported
I am getting wireless disassociation attacks. I wanted to look at the packets via: `tcpdump -nettt -I -i athn0 -s 256 type mgt subtype disassoc` but I get an error: "tcpdump: type not supported on linktype 0x1" Should work according to man tcpdump.