[solved] WiFi in monitor mode/sniffing WiFi traffic

kaczor1984 · Aug 30, 2013, 11:45 AM

Hello All,

I'm trying to make pfSense/FreeBSD sniff packets from the neighbourhood.
We're using Atheros MiniPCI card that is capable to do so.
So far we've been using Linux for that and it worked like a charm with ath drivers.
But so far it's not working the way it should on pfSense/FreeBSD…
I've found this topic: http://forum.pfsense.org/index.php/topic,60995.0.html
Configured my wlan card exacly the way that is shown there but I'm still not getting all of the packet's I should.
I'm getting only Beacon packets, some Probe requests/responses/acknowledgement packets (got even some data packets few times) but if I start using my phone with a different AP none of the packets is detected.

Does anybody know how can I set the WiFi card so it will work the way I want?
Current interface status is:


wlan1: flags=48943 <up,broadcast,running,promisc,simplex,multicast,monitor>metric 0 mtu 1500
        ether 00:80:48:64:63:57
        inet6 fe80::280:48ff:fe64:6357%wlan1 prefixlen 64 scopeid 0xb 
        nd6 options=43 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
        status: no carrier
        ssid "" channel 5 (2432 MHz 11g)
        country US ecm authmode OPEN privacy OFF txpower 25.5 bmiss 7
        scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7
        roam:rate 5 protmode CTS wme burst bintval 0</performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast,monitor>

There is an AP set on this hotspot on interface ath0_wlan1 but I've also tried disabling it in pfSense and after reeboot and creating wlan1 interface again nothing changed.

EDIT: pfSense version is 2.03

kaczor1984 · Aug 30, 2013, 10:48 AM

Ok found it…

Looks like proper way to initialize device in monitor mode is to do it in one line:

ifconfig wlan create wlandev ath0 wlanmode monitor
ifconfig wlan1 up

And not in separate lines like in the thread I was looking at.

And interface options for reference:

wlan1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
        ether 00:80:48:64:63:57
        inet6 fe80::280:48ff:fe64:6357%wlan1 prefixlen 64 scopeid 0xb 
        nd6 options=43 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <monitor>
        status: running
        ssid "" channel 11 (2462 MHz 11g) bssid 00:80:48:64:63:57
        regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
        scanvalid 60 protmode OFF wme burst</monitor></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast>

markn62 · Aug 30, 2013, 4:40 PM

Could this be used to monitor traffic on an ethernet adapter? I'm curious where your output goes and in what form? Does all traffic hit the firewall log or do you direct it to an outboard device? I'm still interested in creating a mirror port within PfSense to pipe all Lan traffic to the ethernet port of an outboard box for analysis, filtering, etc. Needs to be one way traffic only.

Biggdiz6 · Sep 3, 2013, 12:15 PM

Ok found it.