Hi all, I have really big problems with radiotap-enabled captures, specially with atheros card/driver.
Let's proceed. My test system is a fujitsu p7010, and FreeBSD 5.4-RELEASE [EMAIL PROTECTED] # uname -a FreeBSD dagger.sunspot.org 5.4-RELEASE FreeBSD 5.4-RELEASE #1: Fri May 13 20:56:25 CEST 2005 [EMAIL PROTECTED]:/usr/src/sys/i386/compile/DAGGER i386 and my test card is a NetGear WG511T, here follows a snippet from dmesg and related sysctl variables: [EMAIL PROTECTED] # dmesg | grep ^ath0 ath0: <Atheros 5212> mem 0xd0210000-0xd021ffff irq 11 at device 0.0 on cardbus0 ath0: mac 5.6 phy 4.1 5ghz radio 4.6 ath0: Ethernet address: 00:09:5b:92:ec:80 ath0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps ath0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps [EMAIL PROTECTED] # sysctl -a | grep -E '(^hw|^dev).ath' hw.ath.hal.swba_backoff: 0 hw.ath.hal.sw_brt: 10 hw.ath.hal.dma_brt: 2 hw.ath.hal.version: 0.9.6.3 hw.ath.dump: hw.ath.debug: 0 hw.ath.regdomain: 0 hw.ath.countrycode: 0 hw.ath.outdoor: 1 hw.ath.calibrate: 30 hw.ath.dwell: 200 dev.ath.0.%desc: Atheros 5212 dev.ath.0.%driver: ath dev.ath.0.%location: slot=0 function=0 dev.ath.0.%pnpinfo: vendor=0x168c device=0x0013 subvendor=0x1385 subdevice=0x4b00 class=0x020000 dev.ath.0.%parent: cardbus0 The WG511T works good in BSS and IBSS modes with pretty decent FTP peaks of 2.80 MB/s, but when it goes in monitor mode it receives a lot of noise and pcap enabled applications show up a lot of "malformed packets": [EMAIL PROTECTED] # tethereal -i ath0 -y IEEE802_11_RADIO Warning: Couldn't obtain netmask info (ath0: no IPv4 address assigned). Capturing on ath0 0.000000 -> IEEE 802.11 Unrecognized (Reserved frame) 0.070546 XXX.XX.5.57 -> XXX.XX.255.255 BROWSER Host Announcement XXXXXX280016, Workstation, Server, NT Workstation, Potential Browser 0.131467 XXX.XX.4.105 -> 255.255.255.255 UDP Source port: 2301 Destination port: 2301 0.141319 3comEuro_d5:b9:b8 -> Broadcast IEEE 802.11 Beacon frame, SSID: "............"[Malformed Packet] 0.192535 XXX.XX.1.55 -> XXX.XX.255.255 NBNS Name query NB PRINTERS<00> 0.221540 XXX.XX.1.30 -> Broadcast ARP Who has XXX.XX.7.55? Tell XXX.XX.1.30 adns warning: sendto failed: Network is unreachable (NS=XXX.XXX.2.12) 0.237164 XXX.XX.1.30 -> Broadcast ARP Who has XXX.XX.4.234? Tell XXX.XX.1.30 0.243721 3comEuro_d5:b9:b8 -> Broadcast IEEE 802.11 Beacon frame, SSID: "............"[Malformed Packet] 0.292573 XXX.XX.4.212 -> Broadcast ARP Who has XXX.XX.1.10? Tell XXX.XX.4.212 adns warning: sendto failed: Network is unreachable (NS=XXX.XXX.2.12) 0.325725 XXX.XX.1.11 -> Broadcast ARP Who has XXX.XX.7.37? Tell XXX.XX.1.11 adns warning: sendto failed: Network is unreachable (NS=XXX.XXX.2.12) 0.346129 3comEuro_d5:b9:b8 -> Broadcast IEEE 802.11 Beacon frame, SSID: "............"[Malformed Packet] 0.350925 HewlettP_7c:ab:31 -> HP LLC U P, func=TEST; SNAP, OUI 0x00805F (Unknown), PID 0x0002 0.351848 XXX.XX.255.115 -> Broadcast ARP XXX.XX.255.115 is at 00:0b:46:01:34:80 adns warning: sendto failed: Network is unreachable (NS=XXX.XXX.2.12) 0.382862 00000002.0030c12f2eff -> 00000002.ffffffffffff IPX SAP General Response 0.384205 00000002.0030c12f2eff -> 00000002.ffffffffffff IPX SAP General Response 0.386566 XXX.XX.6.125 -> XXX.XX.255.255 BROWSER Host Announcement XXXXXXFI008, Workstation, Server, SQL Server, NT Workstation, Potential Browser 0.448530 3comEuro_d5:b9:b8 -> Broadcast IEEE 802.11 Beacon frame, SSID: "............"[Malformed Packet] 0.473888 XXX.XX.1.10 -> Broadcast ARP Who has XXX.XX.7.98? Tell XXX.XX.1.10 adns warning: sendto failed: Network is unreachable (NS=XXX.XXX.2.12) 0.653333 3comEuro_d5:b9:b8 -> Broadcast IEEE 802.11 Beacon frame, SSID: "............"[Malformed Packet] I see that here there is just one really noisy packet (the first one), if they could be helpful I could capture a lot more of them this evening. There's another interesting thing is that launching kismet with radiotab_fbsd_b and setting debug.ieee80211 to 1, machine says: [...] ieee80211_newstate: SCAN -> SCAN ieee80211_newstate: SCAN -> INIT ieee80211_newstate: INIT -> RUN ieee80211_newstate: invalid transition ieee80211_newstate: RUN -> INIT ieee80211_newstate: INIT -> RUN ieee80211_newstate: invalid transition ieee80211_newstate: RUN -> INIT ieee80211_newstate: INIT -> RUN ieee80211_newstate: invalid transition ieee80211_newstate: RUN -> INIT ieee80211_newstate: INIT -> RUN ieee80211_newstate: invalid transition ieee80211_newstate: RUN -> INIT ieee80211_newstate: INIT -> RUN ieee80211_newstate: invalid transition ieee80211_newstate: RUN -> INIT ieee80211_newstate: INIT -> RUN ieee80211_newstate: invalid transition [...] until i shutdown kismet, but maybe this is a kismet bug in channel hopping. enabling hw.ath.debug it says: ath_stop: invalid 0 if_flags 0x48842 ath_newstate: SCAN -> INIT Is this a known bug? How can i fix this? Thanks in advance and sorry for my poor english, Luca Micali ####### KERNEL CONFIG, what you don't see here is loaded as kld machine i386 cpu I686_CPU ident DAGGER options SCHED_4BSD options INET options INET6 options FFS options SOFTUPDATES options UFS_ACL options UFS_DIRHASH options NFSCLIENT options NFSSERVER options LIBICONV options EICON_DIVA options MSDOSFS options MSDOSFS_LARGE options MSDOSFS_ICONV options NTFS options NTFS_ICONV options CD9660 options CD9660_ICONV options UDF options UDF_ICONV options PROCFS options PSEUDOFS options COMPAT_43 options SYSVSHM options SYSVMSG options SYSVSEM options _KPOSIX_PRIORITY_SCHEDULING options KBD_INSTALL_CDEV device apic device isa device eisa device pci device ata device atadisk device atapicam options ATA_STATIC_ID device uhci device ehci device usb device scbus device da device cd device pass device atkbdc device atkbd device psm device vga device sc device splash options SC_PIXEL_MODE device agp device npx device apm device acpi device pty device loop device mem device io device random device ether device ppp device tun device bpf device md _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
