tcpdump mailing list archives

Re: capturing 802.11 station attachment/detachment traffic

From: Guy Harris <gharris () sonic net>
Date: Thu, 2 Oct 2025 17:09:28 -0700

On Sep 22, 2025, at 9:15 AM, Michael Richardson <mcr () sandelman ca> wrote:

This happens most often in the evening, during "prime TV" time.
I think that I need to be capturing from the wifi monitor interface.
That does not seem to still be a thing, so I'm not sure what to do.


It's A Long Story.  At this point, there is no general-purpose OS with whose monitor-mode support doesn't annoy me in 
some fashion.

As I understand it, for Linux, the "right" way to set up monitor mode, at least with mac80211 devices, is to create a 
new "virtual interface" in monitor mode, and capture on that.  See https://wiki.wireshark.org/CaptureSetup/WLAN#linux - 
libpcap will do that *if* built with libnl, but that's not how it's built by default, so, unfortunately, the -I flag in 
tcpdump and {Wire,T}shark, and Wireshark's monitor-mode checkbox, don't do the job.

Some sequence of "ip link" or "iwconfig mode monitor" commands to turn the
interface on, not associated with any SSID, and just listen.   But, what
channel?


Whatever channel you're using on your wifi; you might have to do some channel-hopping to find it if you don't know 
which one it is.  Sadly, adding channel-setting APIs to libpcap, and changing tcpdump/Wireshark to use them, hasn't 
been done.

I don't know whether management frames will be encrypted (protected).  If they are, you'll need to, for example, use 
Wireshark/TShark and provide the network password. See https://wiki.wireshark.org/HowToDecrypt802.11 (I'm not sure 
whether WPA3 can be handled.)

I obviously do not want to capture the entire netflix stream, but
maybe -W filecount is the right answer to avoid missing stuff.


You might try using a filter to filter out 802.11 data frames and just capture management and control frames.
_______________________________________________
tcpdump-workers mailing list -- tcpdump-workers () lists tcpdump org
To unsubscribe send an email to tcpdump-workers-leave () lists tcpdump org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

Current thread:

Re: capturing 802.11 station attachment/detachment traffic M.TARMIZI TAHIR (Oct 02)
- <Possible follow-ups>
- Re: capturing 802.11 station attachment/detachment traffic Guy Harris (Oct 02)
  - Re: capturing 802.11 station attachment/detachment traffic Michael Richardson (Oct 03)