[Cerowrt-devel] [Bloat] capturing packets and applying qdiscs
smithbone at gmail.com
Fri Mar 27 11:08:00 EDT 2015
On 03/26/2015 09:19 PM, Dave Taht wrote:
> For those of you that don't know how to do aircaps, it is pretty easy.
> We are going to be doing a lot more of this as make-wifi-fast goes
> along, so...
> install aircrack-ng via whatever means you have available (works best
> on ath9k, seems to work on iwl, don't know about other devices)
> airmon-ng start your_wifi_device your_channel
I've been doing a lot of this lately... I would love to create a
resource page (and I volunteer to help compile and organize) for best
practices and recipes on sniffing/processing/understanding WiFi traffic.
In my experience it's fraught with conflicting and confusing
instructions that have a lot of context never described.
Installing airmon-ng isn't always an option. I've also had airmon-ng
fail a lot of times on iwl. I haven't used it much on the wndr because
I use 'iw' instead.
What is working well for me on most of the devices I've tried (including
iwl) is just to use 'iw' natively.
iw <wlandevice> interface add <monitordevice> type monitor
So for example on a wndr box I use for sniffing I do:
iw wlan1 interface add mon1 type monitor
Then you can set the channel with:
iw wlan1 set channel 6
Generally to set the channel you need the interface to be down and
sometimes you have to just reboot the box to get the device back in to a
known state where it will accept commands.
> This will create a monX device of some sort, which you can then
> capture with tshark or wireshark. There are all sorts of other cool
> features here where - for example - you can post-hoc decrypt a wpa
> session, etc.
Decrypting traffic has taken me quite a while to get working and I've
only had partial success. One forehead slapper is that you have to
capture the key exchange when the station connects to the network. You
can't just randomly start sniffing and then decrypt later with the WPA
pass phrase. Even then I have sessions I can't decrypt and I don't know
why. I'd love to hear recipes used by others that are working.
> We are in dire need of tools that can analyze aircap'd stuff at
> different rates, look at beacons, interpacket gaps, wireless g
> fallbacks, etc. If anyone knows f anything good, please post to the
One tool that has been informative for me looking at our work network
has been horst. http://br1.einfach.org/tech/horst/
It's a live diagnostics tool but it would probably not take too much
work to modify it to be able to take a pcap file as input.
The latest git versions have good stuff thats not in the releases. If
anyone wants a git build for wndr3700v2 let me know and I'll pass it along.
Using horst I've discovered that the major reason our WiFi network sucks
is because 90% of the packets are sent at the 6mbit rate. Most of the
rest show up in the 12 and 24mbit zone with a tiny fraction of them
using the higher MCS rates.
Trying to couple the radiotap info with the packet decryption to
discover the sources of those low-bit rate packets is where I've been
running into difficulty. I can see the what but I haven't had much luck
on the why.
I totally agree with you that tools other than wireshark for analyzing
this seem to be non-existent.
Richard A. Smith
More information about the Cerowrt-devel