[BAWUG] Problem sniffing 802.11b packets with Cisco Aironet 341

Tue, 04 Jun 2002 08:31:33 -0700 

Hello, 

As a student in computer science, I have to expose the ways to exploit
vulnerabilities of protocols used in wireless. 
I have a Cisco Aironet PCM-341 (firmware version 4.13) card and a Cisco
Aironet 340 wireless bridge AP. The AP is connected to a hub to the LAN.
I managed to make the wireless card working but I cannot sniff 802.11
packets. All I see is normal 802.3. I followed the steps described in
this howto : http://www.cs.umd.edu/~npetroni/airo.html but it still
doesnt work. Please could you help me find out what is wrong with what
I'm doing. 

My system on the laptop is a RH 7.2 Linux with standard installation and
no modification. 

#uname -a 
Linux localhost.localdomain 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686
unknown 

#lsmod 
Module Size Used by 
vfat 9584 0 (autoclean) 
fat 32384 0 (autoclean) [vfat] 
soundcore 4464 0 (autoclean) 
airo_cs 3872 0 (unused) 
airo 68608 0 [airo_cs] 
ds 7056 2 [airo_cs] 
yenta_socket 9488 2 
pcmcia_core 41600 0 [airo_cs ds yenta_socket] 
autofs 11520 0 (autoclean) (unused) 
appletalk 20912 0 (autoclean) 
ipx 16448 0 (autoclean) 
ipchains 39200 0 
ext3 64624 4 
jbd 40992 4 [ext3] 

As written in the howto, I have upgraded the kernel to 2.4.18. I
compiled it with the most recent airo-linux drivers from here
cvs.airo-linux.sourceforge.net, copied the airo-linux/kernel/airo* files
into /usr/src/linux/drivers/net/wireless. 

#uname -a 
Linux localhost.localdomain 2.4.18 #1 SMP Tue Jun 4 10:50:08 CEST 2002
i686 unknown 

#lsmod 
Module Size Used by 

The Cisco card is well recognized by the kernel and works fine. 

To be able to sniff 802.11 packets, I did the following: 

I removed old libpcap RPM and installed patched version of libpcap. I
found the pached version in RPM format here:
http://www.shaftnet.org/~pizza/software/ 

#rpm -e libpcap 
#rpm -i libpcap-0.7.1-1prism.i386.rpm 
#rpm -i libpcap-devel-0.7.1-1prism.i386.rpm 
#rpm -i libpcap-static-0.7.1-1prism.i386.rpm 

Then I compiled ethereal from the sources and installed it. 

I put my card into rfmon mode: 

#echo "Mode: r" > /proc/driver/aironet/eth0/Config 
#echo "Mode: y" > /proc/driver/aironet/eth0/Config 

Then I brought up the wifi interface: 

/sbin/ifconfig wifi0 up 

Then I start ethereal and select the eth0 interface and all I can see is
normal 802.3 packets from my LAN, that's all. I can see no beacon frames
at all. If it worked, I would immediatly see beacon frames, is that
right ? 


Could you please tell me what's wrong ? 

Thank you. 


Information on configuration 
---------------------------- 

Configuration of interfaces before passing the card in rfmon mode: 

#ifconfig 
eth0 Link encap:Ethernet HWaddr 00:40:96:35:CC:1D 
inet addr:172.30.1.99 Bcast:172.30.255.255 Mask:255.255.128.0 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
RX packets:0 errors:1 dropped:0 overruns:0 frame:1 
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:100 
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) 
Interrupt:3 Base address:0x100 

lo Link encap:Local Loopback 
inet addr:127.0.0.1 Mask:255.0.0.0 
UP LOOPBACK RUNNING MTU:16436 Metric:1 
RX packets:128 errors:0 dropped:0 overruns:0 frame:0 
TX packets:128 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:0 
RX bytes:8324 (8.1 Kb) TX bytes:8324 (8.1 Kb) 

Part of kernel messages: 
#dmesg 
cs: IO port probe 0x0c00-0x0cff: clean. 
cs: IO port probe 0x0100-0x04ff: excluding 0x200-0x207 0x220-0x22f
0x330-0x337 0x378-0x37f 0x388-0x38f 0x398-0x39f 0x4d0-0x4d7 
cs: IO port probe 0x0a00-0x0aff: clean. 
cs: memory probe 0xa0000000-0xa0ffffff: clean. 
airo: Doing fast bap_reads 
airo: MAC enabled eth0 0:40:96:35:cc:1d 
eth0: index 0x05: Vcc 5.0, Vpp 5.0, irq 3, io 0x0100-0x013f 

Config of interfaces after passing into rfmon mode and bringing up the
wifi0 : 
#ifconfig 
eth0 Link encap:Ethernet HWaddr 00:40:96:35:CC:1D 
inet addr:172.30.1.99 Bcast:172.30.255.255 Mask:255.255.128.0 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:100 
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) 
Interrupt:3 Base address:0x100 

lo Link encap:Local Loopback 
inet addr:127.0.0.1 Mask:255.0.0.0 
UP LOOPBACK RUNNING MTU:16436 Metric:1 
RX packets:128 errors:0 dropped:0 overruns:0 frame:0 
TX packets:128 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:0 
RX bytes:8324 (8.1 Kb) TX bytes:8324 (8.1 Kb) 

wifi0 Link encap:UNSPEC HWaddr
00-40-96-35-CC-1D-00-00-00-00-00-00-00-00-00-00 
UP BROADCAST RUNNING MULTICAST MTU:2312 Metric:1 
RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:100 
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) 
Interrupt:3 Base address:0x100 

Configuration of the PCM 341 card: 
#cat /proc/driver/aironet/eth0/Config 
Mode: ESS 
Radio: on 
NodeName: 
PowerMode: CAM 
DataRates: 2 4 11 22 0 0 0 0 
Channel: 12 
XmitPower: 30 
LongRetryLimit: 16 
ShortRetryLimit: 16 
RTSThreshold: 2312 
TXMSDULifetime: 5000 
RXMSDULifetime: 10000 
TXDiversity: both 
RXDiversity: both 
FragThreshold: 2312 
WEP: open 
Modulation: cck 
Preamble: short 

Configuration of the AP: 
! CONFIGURATION of Cisco BR500E V8.65 BR500E_54ea64 
= 
configuration radio ssid "wireless" 
configuration radio root on 
configuration radio rates 1_11 
configuration radio basic_rates 1 
configuration radio frequency "auto" 
configuration radio distance 0 
configuration radio world on 
configuration radio i80211 beacon 100 
configuration radio i80211 dtim 2 
configuration radio i80211 extend on 
configuration radio i80211 bcst_ssid on 
configuration radio i80211 rts 2048 
configuration radio i80211 Privacy encryption mixed 
configuration radio i80211 Privacy client open 
configuration radio i80211 Encapsulation encap 802.1H 
configuration radio i80211 Encapsulation remove all 
configuration radio extended bridge_mode access_point 
configuration radio extended time_retry 8 
configuration radio extended count_retry 0 
configuration radio extended roaming broadcast 
configuration radio extended Balance off 
configuration radio extended diversity off 
configuration radio extended modulation cck 
configuration radio extended power full 
configuration radio extended fragment 2048 
configuration ethernet active on 
configuration ethernet size 1518 
configuration ethernet port auto 
configuration ethernet staletime 350 
configuration identity bootp_DHCP off 
configuration identity name "BR500E_54ea64" 
configuration identity class "BR500E" 
configuration identity inaddr 172.030.064.099 
configuration identity inmask 255.255.128.000 
configuration identity routing delete all 
configuration identity routing net 000.000.000.000 172.030.064.255
000.000.000.000 
configuration identity dns1 000.000.000.000 
configuration identity dns2 000.000.000.000 
configuration identity domain "" 
configuration identity location "" 
configuration identity contact "" 
configuration console Remote on 
configuration console telnet on 
configuration console delete all 
configuration console communities remote off 
configuration console type ansi 
configuration console port rate 9600 
configuration console port bits 8 
configuration console port parity none 
configuration console port flow xon/xoff 
configuration console linemode off 
configuration stp active off 
configuration stp priority 8000 
configuration stp hello_time 2 
configuration stp forward_delay 15 
configuration stp msg_age_timeout 20 
configuration stp port port on 
configuration stp port priority 80 
configuration stp port cost 100 
configuration mobile-IP AgentType off 
configuration mobile-IP remove all 
configuration mobile-IP setup lifetime 600 
configuration mobile-IP setup ReplayProt timestamps 
configuration mobile-IP setup broadcasts off 
configuration mobile-IP setup RegRequired on 
configuration mobile-IP setup HostRedirects on 
configuration mobile-IP advert AdvertType multicast 
configuration mobile-IP advert AdvertInterval 5 
configuration mobile-IP advert PrefixLen off 
configuration mobile-IP advert AdvertRtrs on 
configuration time time_server 000.000.000.000 
configuration time sntp_server 000.000.000.000 
configuration time offset 0 
configuration time dst off 
configuration SVP off 
statistics display_time 10 
statistics ipAdr on 
association maximum 1024 
association autoreg on 
association niddisp numeric 
filter multicast default forward 
filter multicast remove all 
filter multicast radio_mcst everywhere 
filter node ethdst forward 
filter node raddst forward 
filter node source off 
filter node remove all 
filter protocols default off 
filter protocols remove all 
filter direction both 
diagnostics load ftp dest 000.000.000.000 
diagnostics load ftp username "" 
diagnostics load ftp filename "" 
diagnostics load distribute type firmware 
diagnostics load distribute control newer 
diagnostics load distribute remove all 
logs printlevel severe 
logs loglevel all 
logs ledlevel error/severe 
logs bnodelog on 
logs snmp trapdest none 
logs snmp trapcomm "public" 
logs snmp loglevel off 
logs snmp authtrap off 
logs syslog 000.000.000.000 
logs syslevel error/severe 
logs facility 16 
logs rcvsyslog on 
------------------------------------------------------------------------
-------- 

 
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif


--
general wireless list, a bawug thing <http://www.bawug.org/>
[un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless

Reply via email to