From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qg0-x236.google.com (mail-qg0-x236.google.com [IPv6:2607:f8b0:400d:c04::236]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 2BB4721F1AF; Fri, 27 Mar 2015 08:08:05 -0700 (PDT) Received: by qgh3 with SMTP id 3so120115434qgh.2; Fri, 27 Mar 2015 08:08:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=Psh1RniY6vqk1fclqPqtZRJYXO5RhwwXLeskkYmbGVI=; b=XixFNNj5tEoAdaKuVdKhs/XNsfK9Z3AWC4x1n5U3Wm47kqRJ/aST1qvtcCNHa35Ynu l47MVCKpacAKCIGyVdqgzhhGe38ynmHH1nOqF8Zo/HA/ZhZSDqY1FaE95JCqtNo9gq2a FRSzxkGWZ+FAbmhPc9rT+7AIielrhJiu22t3oEfZx8KMtVwUmezC0/dqCFRf49GtWtA6 5jVkgVSWxL5S0EJHF6fot7Kp0GFgzIrelvLP9JBbV42dvkfPNuvfdOlmeXICZQEmKCDH YiEsg+fgl9/OdVqCpsmVopCH9EfLbXoBWuo7Ry2VZHSshHhRya+JEJw8utGSCZJvrJg8 Ls0g== X-Received: by 10.55.23.195 with SMTP id 64mr40058282qkx.76.1427468883656; Fri, 27 Mar 2015 08:08:03 -0700 (PDT) Received: from [192.168.1.219] (207-180-163-171.ma.subnet.cable.rcn.com. [207.180.163.171]) by mx.google.com with ESMTPSA id f76sm953559qki.1.2015.03.27.08.08.01 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Mar 2015 08:08:02 -0700 (PDT) Message-ID: <55157250.6030208@gmail.com> Date: Fri, 27 Mar 2015 11:08:00 -0400 From: Richard Smith User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Dave Taht , Isaac Konikoff References: <55147C8A.4030804@candelatech.com> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Cc: codel , cerowrt-devel , bloat Subject: Re: [Cerowrt-devel] [Bloat] capturing packets and applying qdiscs X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Mar 2015 15:08:35 -0000 On 03/26/2015 09:19 PM, Dave Taht wrote: > For those of you that don't know how to do aircaps, it is pretty easy. > We are going to be doing a lot more of this as make-wifi-fast goes > along, so... > > install aircrack-ng via whatever means you have available (works best > on ath9k, seems to work on iwl, don't know about other devices) > > run: > > airmon-ng start your_wifi_device your_channel I've been doing a lot of this lately... I would love to create a resource page (and I volunteer to help compile and organize) for best practices and recipes on sniffing/processing/understanding WiFi traffic. In my experience it's fraught with conflicting and confusing instructions that have a lot of context never described. Installing airmon-ng isn't always an option. I've also had airmon-ng fail a lot of times on iwl. I haven't used it much on the wndr because I use 'iw' instead. What is working well for me on most of the devices I've tried (including iwl) is just to use 'iw' natively. iw interface add type monitor So for example on a wndr box I use for sniffing I do: iw wlan1 interface add mon1 type monitor Then you can set the channel with: iw wlan1 set channel 6 Generally to set the channel you need the interface to be down and sometimes you have to just reboot the box to get the device back in to a known state where it will accept commands. > This will create a monX device of some sort, which you can then > capture with tshark or wireshark. There are all sorts of other cool > features here where - for example - you can post-hoc decrypt a wpa > session, etc. Decrypting traffic has taken me quite a while to get working and I've only had partial success. One forehead slapper is that you have to capture the key exchange when the station connects to the network. You can't just randomly start sniffing and then decrypt later with the WPA pass phrase. Even then I have sessions I can't decrypt and I don't know why. I'd love to hear recipes used by others that are working. > We are in dire need of tools that can analyze aircap'd stuff at > different rates, look at beacons, interpacket gaps, wireless g > fallbacks, etc. If anyone knows f anything good, please post to the > list. One tool that has been informative for me looking at our work network has been horst. http://br1.einfach.org/tech/horst/ It's a live diagnostics tool but it would probably not take too much work to modify it to be able to take a pcap file as input. The latest git versions have good stuff thats not in the releases. If anyone wants a git build for wndr3700v2 let me know and I'll pass it along. Using horst I've discovered that the major reason our WiFi network sucks is because 90% of the packets are sent at the 6mbit rate. Most of the rest show up in the 12 and 24mbit zone with a tiny fraction of them using the higher MCS rates. Trying to couple the radiotap info with the packet decryption to discover the sources of those low-bit rate packets is where I've been running into difficulty. I can see the what but I haven't had much luck on the why. I totally agree with you that tools other than wireshark for analyzing this seem to be non-existent. -- Richard A. Smith