Ethereal-users: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco LMC352?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Doug Ambrisko <ambrisko@xxxxxxxxxxxx>
Date: Wed, 12 Jun 2002 10:15:35 -0700 (PDT)
Guy Harris writes:
| On Tue, Jun 11, 2002 at 01:41:06PM -0400, an ethereal user wrote:
| > > You said you were running FreeBSD 4.5 you need to upgrade to FreeBSD-
| > stable
| > > or 4.6 when it comes out.  You need this fix:
| > >   MFC:  LEAP, support for Linux "acu" private ioctls, fix 802.11 RFMON
| > >         gap problem, support for Home key, add support for multiple
| > >         SSIDs via ifmedia and some minor bug fixes, install header 
| > files in
| > >         /usr/include/dev/an and in general sync with -current.
| > >
| > 
| > I installed 4.6-RC2, and now I'm seeing higher-level protocol info :)
| > 
| > BUT!
| > 
| > Now 802.11 beacons are mangled.  Kismet now reports all networks as <no 
| > ssid> and Ethereal says "Malformed Packet"  
| > Check out http://www.severus.org/wifi-caps/sample 
| 
| Well, the first frame in that capture *does* look malformed - there's an
| information element at the end that, at least as I read 802.11-1999, is
| a TIM element, and the octet following the octet with the value 5
| (meaning TIM) has the value 4, meaning 4 bytes of information following
| the element ID and the length, but there are only 2 bytes of information
| following the length.
|
| It could be that the driver isn't properly handling those frames, or
| that the network card isn't correctly supplying them to the host, or
| that whatever device sent the frame is mangling them.
| 
| Doug, any ideas?

Huh, I don't see anything strange with it?  The beacons look fine 
except when there are typical RF collisions that mangle packets.

	http://www.ambrisko.com:/doug/an/doug.jpg

Packet "1" look okay to me ... am I on drugs I don't know about????

At work we have lots of APs and see lots of spammed packets and then
a slow network.

I'll try to do some experiments and see what happens.  I know some other
people that have played with it and didn't have any trouble.  People
have been using the Aironet card in 802.11 snif mode and in the "Aironet"
frame and haven't reported problems.

BTW what mode are you running it in (ancontrol -M <what>)?  In a noisy
environment I usually skip beacons since that pegs the system processing
all of those packets.

| > I'm not going to worry too much about this until 4.6 is oficially 
| > released.  Does anyone know if monitor mode is ever going to be 
| > natively supported by OpenBSD?  Can the FreeBSD driver/ancontrol be 
| > ported?

Absoluteley.  If you look the {Net,Open}BSD driver came from the 
FreeBSD driver code.  Someone just has to bring over the patches.
It should be farily trivial to do.  I don't run {Net,Open}BSD but
do watch them a little and get patches from them as well as Linux.

Doug A.