[Cerowrt-devel] [Bloat] capturing packets and applying qdiscs

Richard Smith smithbone at gmail.com
Fri Mar 27 11:08:00 EDT 2015 

On 03/26/2015 09:19 PM, Dave Taht wrote:

> For those of you that don't know how to do aircaps, it is pretty easy.
> We are going to be doing a lot more of this as make-wifi-fast goes
> along, so...
>
> install aircrack-ng via whatever means you have available (works best
> on ath9k, seems to work on iwl, don't know about other devices)
>
> run:
>
> airmon-ng start your_wifi_device your_channel

I've been doing a lot of this lately...  I would love to create a 
resource page (and I volunteer to help compile and organize) for best 
practices and recipes on sniffing/processing/understanding WiFi traffic. 
  In my experience it's fraught with conflicting and confusing 
instructions that have a lot of context never described.

Installing airmon-ng isn't always an option.  I've also had airmon-ng 
fail a lot of times on iwl.  I haven't used it much on the wndr because 
I use 'iw' instead.

What is working well for me on most of the devices I've tried (including 
iwl) is just to use 'iw' natively.

iw <wlandevice> interface add <monitordevice> type monitor

So for example on a wndr box I use for sniffing I do:

iw wlan1 interface add mon1 type monitor

Then you can set the channel with:

iw wlan1 set channel 6

Generally to set the channel you need the interface to be down and 
sometimes you have to just reboot the box to get the device back in to a 
known state where it will accept commands.

> This will create a monX device of some sort, which you can then
> capture with tshark or wireshark. There are all sorts of other cool
> features here where - for example - you can post-hoc decrypt a wpa
> session, etc.

Decrypting traffic has taken me quite a while to get working and I've 
only had partial success.  One forehead slapper is that you have to 
capture the key exchange when the station connects to the network.  You 
can't just randomly start sniffing and then decrypt later with the WPA 
pass phrase.  Even then I have sessions I can't decrypt and I don't know 
why.  I'd love to hear recipes used by others that are working.

> We are in dire need of tools that can analyze aircap'd stuff at
> different rates, look at beacons, interpacket gaps, wireless g
> fallbacks, etc. If anyone knows f anything good, please post to the
> list.

One tool that has been informative for me looking at our work network 
has been horst.  http://br1.einfach.org/tech/horst/

It's a live diagnostics tool but it would probably not take too much 
work to modify it to be able to take a pcap file as input.

The latest git versions have good stuff thats not in the releases.  If 
anyone wants a git build for wndr3700v2 let me know and I'll pass it along.

Using horst I've discovered that the major reason our WiFi network sucks 
is because 90% of the packets are sent at the 6mbit rate.  Most of the 
rest show up in the 12 and 24mbit zone with a tiny fraction of them 
using the higher MCS rates.

Trying to couple the radiotap info with the packet decryption to 
discover the sources of those low-bit rate packets is where I've been 
running into difficulty.  I can see the what but I haven't had much luck 
on the why.

I totally agree with you that tools other than wireshark for analyzing 
this seem to be non-existent.

-- 
Richard A. Smith

More information about the Cerowrt-devel mailing list