Brian Candler
2016-07-25 07:40:54 UTC
I am trying to get monitor mode working on a Macmini6,2 (late 2012
server) running Linux. This device has built-in Broadcom wifi which
works with the b43 driver. However in monitor mode I can only see Beacon
and Probe frames, not user traffic.
OS: Ubuntu 14.04, but with the linux-generic-lts-xenial kernel (4.4.0).
The server is connected to wired ethernet at the moment, so the wifi
interface is unused apart from this attempt to monitor other wireless
traffic.
The broadcom device has PCI ID *14e4:4331* which I see listed as
supported at
<https://wireless.wiki.kernel.org/en/users/Drivers/b43#Known_PCI_devices>
Here is how I'm trying to set it up, following
<http://sandilands.info/sgordon/capturing-wireless-lan-with-ubuntu-tcpdump-kismet>
# ifconfig wlan0 down
# iwconfig wlan0 mode monitor
# iwconfig wlan0
wlan0 IEEE 802.11bg Mode:Monitor Tx-Power=0 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
# ifconfig wlan0 up
# iwconfig wlan0 chan 6
# tcpdump -i wlan0 -n -s0 -c 10000 -w file.pcap
tcpdump: WARNING: wlan0: no IPv4 address assigned
tcpdump: listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus
radiotap header), capture size 65535 bytes
Then I try generating some wireless traffic on the same channel from a
different device. But the results only show frames which are "Beacon",
"Probe Request" or "Probe Response":
# tcpdump -r file.pcap | wc -l
reading from file file.pcap, link-type IEEE802_11_RADIO (802.11 plus
radiotap header)
1913
# tcpdump -r file.pcap | egrep -v 'Beacon|Probe Request|Probe Response'
reading from file file.pcap, link-type IEEE802_11_RADIO (802.11 plus
radiotap header)
#
I did notice "Power Management:on" in the iwconfig output, but I can't
turn it off:
# ifconfig wlan0 down
# iwconfig wlan0 power off
Error for wireless request "Set Power Management" (8B2C) :
SET failed on device wlan0 ; Invalid argument.
Any ideas what I'm missing? According to
<https://www.aircrack-ng.org/doku.php?id=b43> b43 should have quite good
support for monitor mode.
Many thanks,
Brian Candler.
P.S. Additional chipset/module information
# lsmod | grep b43
b43 413696 0
mac80211 733184 1 b43
cfg80211 557056 2 b43,mac80211
ssb 65536 1 b43
bcma 53248 1 b43
# lspci -vnn | grep 14e4
01:00.0 Ethernet controller [0200]: Broadcom Corporation NetXtreme
BCM57766 Gigabit Ethernet PCIe [14e4:1686] (rev 01)
Subsystem: Broadcom Corporation NetXtreme BCM57766 Gigabit Ethernet
PCIe [14e4:1686]
01:00.1 SD Host controller [0805]: Broadcom Corporation BCM57765/57785
SDXC/MMC Card Reader [14e4:16bc] (rev 01) (prog-if 01)
Subsystem: Broadcom Corporation Device [14e4:0000]
02:00.0 Network controller [0280]: Broadcom Corporation BCM4331
802.11a/b/g/n [14e4:4331] (rev 02)
# modinfo b43
filename:
/lib/modules/4.4.0-28-generic/kernel/drivers/net/wireless/b43/b43.ko
firmware: b43/ucode9.fw
firmware: b43/ucode5.fw
firmware: b43/ucode16_mimo.fw
firmware: b43/ucode15.fw
firmware: b43/ucode14.fw
firmware: b43/ucode13.fw
firmware: b43/ucode11.fw
license: GPL
author: Rafał Miłecki
author: Gábor Stefanik
author: Michael Buesch
author: Stefano Brivio
author: Martin Langer
description: Broadcom B43 wireless driver
srcversion: 6046FCC9190ABD5D296D2D2
alias: ssb:v4243id0812rev10*
alias: ssb:v4243id0812rev0F*
alias: ssb:v4243id0812rev0D*
alias: ssb:v4243id0812rev0C*
alias: ssb:v4243id0812rev0B*
alias: ssb:v4243id0812rev0A*
alias: ssb:v4243id0812rev09*
alias: ssb:v4243id0812rev07*
alias: ssb:v4243id0812rev06*
alias: ssb:v4243id0812rev05*
alias: bcma:m04BFid0812rev2Acl*
alias: bcma:m04BFid0812rev28cl*
alias: bcma:m04BFid0812rev1Ecl*
alias: bcma:m04BFid0812rev1Dcl*
alias: bcma:m04BFid0812rev1Ccl*
alias: bcma:m04BFid0812rev18cl*
alias: bcma:m04BFid0812rev17cl*
alias: bcma:m04BFid0812rev15cl*
alias: bcma:m04BFid0812rev11cl*
depends: mac80211,ssb,bcma,cfg80211
intree: Y
vermagic: 4.4.0-28-generic SMP mod_unload modversions
parm: bad_frames_preempt:enable(1) / disable(0) Bad Frames
Preemption (int)
parm: fwpostfix:Postfix for the .fw files to load. (string)
parm: hwpctl:Enable hardware-side power control (default off)
(int)
parm: nohwcrypt:Disable hardware encryption. (int)
parm: hwtkip:Enable hardware tkip. (int)
parm: qos:Enable QOS support (default on) (int)
parm: btcoex:Enable Bluetooth coexistence (default on) (int)
parm: verbose:Log message verbosity: 0=error, 1=warn,
2=info(default), 3=debug (int)
parm: pio:Use PIO accesses by default: 0=DMA, 1=PIO (int)
parm: allhwsupport:Enable support for all hardware (even it if
overlaps with the brcmsmac driver) (int)
# modinfo b43legacy
filename:
/lib/modules/4.4.0-28-generic/kernel/drivers/net/wireless/b43legacy/b43legacy.ko
firmware: b43legacy/ucode4.fw
firmware: b43legacy/ucode2.fw
license: GPL
author: Michael Buesch
author: Stefano Brivio
author: Martin Langer
description: Broadcom B43legacy wireless driver
srcversion: 8AD21A1A794B063800B1A08
alias: ssb:v4243id0812rev04*
alias: ssb:v4243id0812rev02*
depends: mac80211,ssb,cfg80211
intree: Y
vermagic: 4.4.0-28-generic SMP mod_unload modversions
parm: pio:enable(1) / disable(0) PIO mode (int)
parm: bad_frames_preempt:enable(1) / disable(0) Bad Frames
Preemption (int)
parm: fwpostfix:Postfix for the firmware files to load. (string)
# head /sys/module/b43/parameters/*
==> /sys/module/b43/parameters/allhwsupport <==
0
==> /sys/module/b43/parameters/bad_frames_preempt <==
0
==> /sys/module/b43/parameters/btcoex <==
1
==> /sys/module/b43/parameters/fwpostfix <==
==> /sys/module/b43/parameters/hwpctl <==
0
==> /sys/module/b43/parameters/hwtkip <==
0
==> /sys/module/b43/parameters/nohwcrypt <==
0
==> /sys/module/b43/parameters/pio <==
0
==> /sys/module/b43/parameters/qos <==
1
==> /sys/module/b43/parameters/verbose <==
2
# dmesg | egrep 'b43|wlan0'
[ 3.994522] b43-phy0: Broadcom 4331 WLAN found (core revision 29)
[ 3.994897] b43-phy0: Found PHY: Analog 9, Type 7 (HT), Revision 1
[ 3.994906] b43-phy0: Found Radio: Manuf 0x17F, ID 0x2059, Revision
0, Version 1
[ 3.994907] b43-phy0 warning: 5 GHz band is unsupported on this PHY
[488620.730061] b43-phy0: Loading firmware version 666.2 (2011-02-23
01:15:07)
[488629.221640] device wlan0 entered promiscuous mode
[488695.406184] device wlan0 left promiscuous mode
server) running Linux. This device has built-in Broadcom wifi which
works with the b43 driver. However in monitor mode I can only see Beacon
and Probe frames, not user traffic.
OS: Ubuntu 14.04, but with the linux-generic-lts-xenial kernel (4.4.0).
The server is connected to wired ethernet at the moment, so the wifi
interface is unused apart from this attempt to monitor other wireless
traffic.
The broadcom device has PCI ID *14e4:4331* which I see listed as
supported at
<https://wireless.wiki.kernel.org/en/users/Drivers/b43#Known_PCI_devices>
Here is how I'm trying to set it up, following
<http://sandilands.info/sgordon/capturing-wireless-lan-with-ubuntu-tcpdump-kismet>
# ifconfig wlan0 down
# iwconfig wlan0 mode monitor
# iwconfig wlan0
wlan0 IEEE 802.11bg Mode:Monitor Tx-Power=0 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
# ifconfig wlan0 up
# iwconfig wlan0 chan 6
# tcpdump -i wlan0 -n -s0 -c 10000 -w file.pcap
tcpdump: WARNING: wlan0: no IPv4 address assigned
tcpdump: listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus
radiotap header), capture size 65535 bytes
Then I try generating some wireless traffic on the same channel from a
different device. But the results only show frames which are "Beacon",
"Probe Request" or "Probe Response":
# tcpdump -r file.pcap | wc -l
reading from file file.pcap, link-type IEEE802_11_RADIO (802.11 plus
radiotap header)
1913
# tcpdump -r file.pcap | egrep -v 'Beacon|Probe Request|Probe Response'
reading from file file.pcap, link-type IEEE802_11_RADIO (802.11 plus
radiotap header)
#
I did notice "Power Management:on" in the iwconfig output, but I can't
turn it off:
# ifconfig wlan0 down
# iwconfig wlan0 power off
Error for wireless request "Set Power Management" (8B2C) :
SET failed on device wlan0 ; Invalid argument.
Any ideas what I'm missing? According to
<https://www.aircrack-ng.org/doku.php?id=b43> b43 should have quite good
support for monitor mode.
Many thanks,
Brian Candler.
P.S. Additional chipset/module information
# lsmod | grep b43
b43 413696 0
mac80211 733184 1 b43
cfg80211 557056 2 b43,mac80211
ssb 65536 1 b43
bcma 53248 1 b43
# lspci -vnn | grep 14e4
01:00.0 Ethernet controller [0200]: Broadcom Corporation NetXtreme
BCM57766 Gigabit Ethernet PCIe [14e4:1686] (rev 01)
Subsystem: Broadcom Corporation NetXtreme BCM57766 Gigabit Ethernet
PCIe [14e4:1686]
01:00.1 SD Host controller [0805]: Broadcom Corporation BCM57765/57785
SDXC/MMC Card Reader [14e4:16bc] (rev 01) (prog-if 01)
Subsystem: Broadcom Corporation Device [14e4:0000]
02:00.0 Network controller [0280]: Broadcom Corporation BCM4331
802.11a/b/g/n [14e4:4331] (rev 02)
# modinfo b43
filename:
/lib/modules/4.4.0-28-generic/kernel/drivers/net/wireless/b43/b43.ko
firmware: b43/ucode9.fw
firmware: b43/ucode5.fw
firmware: b43/ucode16_mimo.fw
firmware: b43/ucode15.fw
firmware: b43/ucode14.fw
firmware: b43/ucode13.fw
firmware: b43/ucode11.fw
license: GPL
author: Rafał Miłecki
author: Gábor Stefanik
author: Michael Buesch
author: Stefano Brivio
author: Martin Langer
description: Broadcom B43 wireless driver
srcversion: 6046FCC9190ABD5D296D2D2
alias: ssb:v4243id0812rev10*
alias: ssb:v4243id0812rev0F*
alias: ssb:v4243id0812rev0D*
alias: ssb:v4243id0812rev0C*
alias: ssb:v4243id0812rev0B*
alias: ssb:v4243id0812rev0A*
alias: ssb:v4243id0812rev09*
alias: ssb:v4243id0812rev07*
alias: ssb:v4243id0812rev06*
alias: ssb:v4243id0812rev05*
alias: bcma:m04BFid0812rev2Acl*
alias: bcma:m04BFid0812rev28cl*
alias: bcma:m04BFid0812rev1Ecl*
alias: bcma:m04BFid0812rev1Dcl*
alias: bcma:m04BFid0812rev1Ccl*
alias: bcma:m04BFid0812rev18cl*
alias: bcma:m04BFid0812rev17cl*
alias: bcma:m04BFid0812rev15cl*
alias: bcma:m04BFid0812rev11cl*
depends: mac80211,ssb,bcma,cfg80211
intree: Y
vermagic: 4.4.0-28-generic SMP mod_unload modversions
parm: bad_frames_preempt:enable(1) / disable(0) Bad Frames
Preemption (int)
parm: fwpostfix:Postfix for the .fw files to load. (string)
parm: hwpctl:Enable hardware-side power control (default off)
(int)
parm: nohwcrypt:Disable hardware encryption. (int)
parm: hwtkip:Enable hardware tkip. (int)
parm: qos:Enable QOS support (default on) (int)
parm: btcoex:Enable Bluetooth coexistence (default on) (int)
parm: verbose:Log message verbosity: 0=error, 1=warn,
2=info(default), 3=debug (int)
parm: pio:Use PIO accesses by default: 0=DMA, 1=PIO (int)
parm: allhwsupport:Enable support for all hardware (even it if
overlaps with the brcmsmac driver) (int)
# modinfo b43legacy
filename:
/lib/modules/4.4.0-28-generic/kernel/drivers/net/wireless/b43legacy/b43legacy.ko
firmware: b43legacy/ucode4.fw
firmware: b43legacy/ucode2.fw
license: GPL
author: Michael Buesch
author: Stefano Brivio
author: Martin Langer
description: Broadcom B43legacy wireless driver
srcversion: 8AD21A1A794B063800B1A08
alias: ssb:v4243id0812rev04*
alias: ssb:v4243id0812rev02*
depends: mac80211,ssb,cfg80211
intree: Y
vermagic: 4.4.0-28-generic SMP mod_unload modversions
parm: pio:enable(1) / disable(0) PIO mode (int)
parm: bad_frames_preempt:enable(1) / disable(0) Bad Frames
Preemption (int)
parm: fwpostfix:Postfix for the firmware files to load. (string)
# head /sys/module/b43/parameters/*
==> /sys/module/b43/parameters/allhwsupport <==
0
==> /sys/module/b43/parameters/bad_frames_preempt <==
0
==> /sys/module/b43/parameters/btcoex <==
1
==> /sys/module/b43/parameters/fwpostfix <==
==> /sys/module/b43/parameters/hwpctl <==
0
==> /sys/module/b43/parameters/hwtkip <==
0
==> /sys/module/b43/parameters/nohwcrypt <==
0
==> /sys/module/b43/parameters/pio <==
0
==> /sys/module/b43/parameters/qos <==
1
==> /sys/module/b43/parameters/verbose <==
2
# dmesg | egrep 'b43|wlan0'
[ 3.994522] b43-phy0: Broadcom 4331 WLAN found (core revision 29)
[ 3.994897] b43-phy0: Found PHY: Analog 9, Type 7 (HT), Revision 1
[ 3.994906] b43-phy0: Found Radio: Manuf 0x17F, ID 0x2059, Revision
0, Version 1
[ 3.994907] b43-phy0 warning: 5 GHz band is unsupported on this PHY
[488620.730061] b43-phy0: Loading firmware version 666.2 (2011-02-23
01:15:07)
[488629.221640] device wlan0 entered promiscuous mode
[488695.406184] device wlan0 left promiscuous mode