Re: capturing 802.11 station attachment/detachment traffic

[Michael Richardson <mcr () sandelman ca>]

Guy Harris <gharris () sonic net> wrote:
    >> This happens most often in the evening, during "prime TV" time.
    >> I think that I need to be capturing from the wifi monitor interface.
    >> That does not seem to still be a thing, so I'm not sure what to do.

    > It's A Long Story.  At this point, there is no general-purpose OS with
    > whose monitor-mode support doesn't annoy me in some fashion.

I knew that there was more, but I just couldn't remember the right things to research.
(Are you implying that there might be a purpose-specific OS/distro/build?
If I have to run FreeBSD or Solaris-x86, that wouldn't be crazy)

    > As I understand it, for Linux, the "right" way to set up monitor mode,
    > at least with mac80211 devices, is to create a new "virtual interface"
    > in monitor mode, and capture on that.  See
    > https://wiki.wireshark.org/CaptureSetup/WLAN#linux - libpcap will do
    > that *if* built with libnl, but that's not how it's built by default,
    > so, unfortunately, the -I flag in tcpdump and {Wire,T}shark, and
    > Wireshark's monitor-mode checkbox, don't do the job.

I can build my own libpcap with libnl, and I have lots of boxes to which I
can just add a USB-wifi if they haven't got it already.  Are any chipsets
better than others?

With monitor mode, I think we have a different LINKTYPE?
Do we get to see channel number?  I will have to read source code.

    >> Some sequence of "ip link" or "iwconfig mode monitor" commands to turn the
    >> interface on, not associated with any SSID, and just listen.   But, what
    >> channel?

    > Whatever channel you're using on your wifi; you might have to do some
    > channel-hopping to find it if you don't know which one it is.  Sadly,
    > adding channel-setting APIs to libpcap, and changing tcpdump/Wireshark
    > to use them, hasn't been done.

Is there a way to put the radio into 802.11g mode, which I understand uses
all the 802.11b channels at the same time (using 802.11a modulation)?  If I
do that, would I be able to listen to all the 802.11b channels on receive only?

    > I don't know whether management frames will be encrypted (protected).
    > If they are, you'll need to, for example, use Wireshark/TShark and
    > provide the network password. See
    > https://wiki.wireshark.org/HowToDecrypt802.11 (I'm not sure whether
    > WPA3 can be handled.)

Parts of some mgmt frames might be encrypted.
Station attachment/detachment frames are not encrypted, which I think is the
fundamental problem/attack.   An attacker can forge a detach frame, kicking
anyone off.

    >> I obviously do not want to capture the entire netflix stream, but
    >> maybe -W filecount is the right answer to avoid missing stuff.

    > You might try using a filter to filter out 802.11 data frames and just
    > capture management and control frames.

I hesistate to do this for fear of missing something.

While I could filter out port 443, I can only do that if my monitor is
attached to my network, which means, I think, it is as likely to get kicked
out as any other system, and then it won't capture the very traffic I think
is the cause...

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr () sandelman ca  http://www.sandelman.ca/        |   ruby on rails    [


_______________________________________________
tcpdump-workers mailing list -- tcpdump-workers () lists tcpdump org
To unsubscribe send an email to tcpdump-workers-leave () lists tcpdump org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s