Capture 802.11 frames
-
I am attempting to capture 802.11 frames on a small box running Pfsense (No, there's no possibility of using a full size OS). Note that I have some experience with linux, but none with FreeBSD/Pfsense.
I have tried to do the capturing with the following script. The reboot command at the end is needed since I have to SSH to the box using the same Wifi module.
#!/bin/sh ifconfig ath0_wlan0 ifconfig ath0_wlan0 monitor ifconfig ath0_wlan0 #compare status /usr/sbin/tcpdump -n -e -tttt -vvv -U -i ath0_wlan0 -s 0 -w ath0wlan0.dump & sleep 20s && pkill -HUP -f /usr/sbin/tcpdump ifconfig ath0_wlan0 -monitor ifconfig ath0_wlan0 #compare status sleep 10 rebootThe output was:
ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
ether 90:a4:de:c7:55:57
inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>status: running
ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
scanvalid 60 burst -apbridge dtimperiod 1 -dfs
ath0_wlan0: flags=48943 <up,broadcast,running,promisc,simplex,multicast,monitor>metric 0 mtu 1500
ether 90:a4:de:c7:55:57
inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>status: running
ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
scanvalid 60 burst -apbridge dtimperiod 1 -dfs
tcpdump: WARNING: ath0_wlan0: no IPv4 address assigned
tcpdump: listening on ath0_wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
57 packets captured
57 packets received by filter
0 packets dropped by kernel
ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
ether 90:a4:de:c7:55:57
inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>status: running
ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
scanvalid 60 burst -apbridge dtimperiod 1 -dfs</hostap></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast></hostap></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast,monitor></hostap></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast>So it seems to work, however, the dump file contains only SSH/HTTP/TCP packets and the like. I'm clearly missing something for Pfsense to be able to do this, but I can't google my way out of it.
I found http://sandilands.info/sgordon/capturing-wireless-lan-with-ubuntu-tcpdump-kismet which uses the same approach, except that they disable the WNIC before putting it in monitor mode. I tried this but to no avail. However, they mention something about special wireless drivers to enable the WNIC to support monitoring.. Do I need to install, for example, the madwifi drivers?
PS
The output of
ifconfigandpciconf -lvshow that ath0_wlan0 is cloned from ath0, don't know whether it is of any importance:$ ifconfig ath0
ath0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 2290
ether 90:a4:de:c7:55:57
media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>status: running$ pciconf -lv
ath0@pci0:0:12:0: class=0x020000 card=0x1012185f chip=0x0013168c rev=0x01 hdr=0x00
class = network
subclass = ethernet</hostap></up,broadcast,running,simplex,multicast>And the specifications of the WNIC
http://www.msdist.co.uk/product_CM9-GP_Atheros_80211a-b-g_miniPCI_wireless_card.phpedit: If you haven't understood it from the output, the WNIC is normally running in AP mode.
-
Sorry for double post, modify button has vanished. Problem solved: http://forum.pfsense.org/index.php/topic,60995.msg328890.html#msg328890