Re: [tcpdump-workers] problem while examinate 802.11-packets

Sun, 17 Feb 2008 11:20:46 -0800 

Guy Harris wrote:



No, there's no way to track, for example, the Retry flag in the Frame 
Control field; the only packets you'll see outside of monitor mode are 
data frames, and the frame control field will be discarded - there's 
no place to put that information in a fake Ethernet header.


So that command doesn't work?

The page at

    http://madwifi.org/wiki/UserDocs/MonitorMode

says


    To create a monitor mode VAP, see: UserDocs/MonitorModeInterface. 
After that, it won't be necessary to use the command iwconfig ath0 
mode monitor.



which sounds as if it's saying that you *can* create a monitor mode 
virtual access point, but that you don't have to - if you create one, 
you don't have to do "iwconfig ath0 mode monitor", which seems to 
imply that you could also do "iwconfig ath0 mode monitor".

No iwconfig ath0 mode monitor did not work. I got something like that: 
Error for wireless request "Set Mode" (8B06) :

   SET failed on device ath0 ; Invalid argument.


But with the command above: "wlanconfig ath1 create wlandev wifi0 
wlanmode *monitor*"

it worked. But my program couldn't access to that ath1.

Thought the if-brach in my code
if (pcap_datalink(handle) != DLT_IEEE802_11)
   {
       perror("is not an WLAN\n");
       exit(EXIT_FAILURE);
   }

it fails here. It was only possible to open the wifi0-interface with my 
program. But the MAC-Adresses are still now valuable, they are still 
fragmented. The first four fields match to the MAC-address of my 
Atheros-Card the final two were still trash. Means: I changed now to the 
monitor mode (which I can assure myself by calling iwconfig) but I have 
the same problem



A little bit other situation I had with the broadcom-device on my 
LinksysWRT. There I could invoke "iwconfig wl0 mode monitor", and it 
worked. I checked this by calling iwconfig again. wl0 was really in 
monitor-mode.
But here I had really no chance to get the program running over that 
if-brach (with DLT_IEEE802_11).
Means the program still doesn't recognize that this a wlan-interface and 
of course I did not get the proper MAC-addresses

:-(

This is very sad. How can anybody sniff a wlan-traffic?

Gruss Christian


-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.






















					Reply via email to