實驗: 虛擬監聽網卡並取得 RSSI
建立一張虛擬網卡, 並監聽空氣中的 WiFi 封包取得 RSSI 的數值
為了能夠監聽空氣中 WiFi 的無線封包,我們需要完成以下兩件事情:
虛擬一張 monitor 模式的無線網卡
安裝 tcpdump 來取得封包資訊
虛擬一張 monitor 模式的無線網卡
在 OpenWRT 中,網卡的設定在 /etc/config/wireless在這份文件中,如下所示。
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/qca953x_wmac'
option htmode 'HT20'
option hwmode '11ng'
option txpower '20'
option channel '1'
config wifi-iface
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'GL-AR300M-26b'
option encryption 'psk-mixed'
option key 'goodlife'
option wds '1'
option ifname 'wlan0'
config wifi-iface 'sta'
option device 'radio0'
option ifname 'wlan-sta'
option network 'wwan'
option mode 'sta'
option ssid 'MBWCL711'
option key '140.113.144.123'
option encryption 'psk2'
config wifi-iface
option device 'radio0'
option mode 'monitor'在該文件中,首先會先定義網卡裝置 (wifi-device) 開始,在這裡,我們可以看到一些常用的無線網路設定如: 使用頻帶 (channel)、傳送功率 (txpower)、傳送協定 (hwmode) 等。
一張網卡裝置可以被定義為多種介面,舉例來說,這張無線網卡就已經設定為兩種不同的模式: AP 和 STA。 這是因為我們把該裝置 (作為STA) 連上實驗室的無線網路,取得網路連線,並利用其無線網路作為 WiFi AP連到Internet的網路。此時,網路運作就像是一個擴展器一樣。
為了能夠偷聽 WiFi 封包,我們額外虛擬了一張網卡,作為監聽模式 (monitor)。根據測試,若是要使用 tcpdump 的指令監聽封包,該網卡必須運作在 monitor 模式,STA 或是 AP 模式都不支援。
透過 iwinfo (對應於舊版的 iwconfig),我們可以看到這些虛擬網卡在Linux系統下的狀態,主要是要查詢無線網卡在系統中的名稱。透過查詢,我們可以看到一共有三個不同的裝置: wlan-sta、wlan0、 wln0-1,對應於 STA 模式、AP 模式和 monitor 模式。
在更改完設定後,我們可以透過輸入指令wifi來重新設定無線網路
WiFi 除了 AP 與 user (STA) 模式之外,還有其他幾個較不常見的模式。而這些模式的支援與否通常取決於Wi-Fi網卡與其驅動程式,以下為一些簡單說明:
Master mode (AP): 提供無線接取的模式
Managed mode (station, user): 連結到AP的裝置
Monitor mode: 接收所有封包,但不傳送任何封包
Ad-Hoc、Secondary、Repeater…
tcpdump 安裝
tcpdump 是一套類似於 Wireshark 的軟體,可以用以抓取封包,並記錄下封包資訊。在 chaos calmer 以及之後的版本中,tcpdump 可以直接透過 opkg 安裝。
opkg update
opkg install tcpdump考慮到之前的網卡設定,我們就可以透過 tcpdump 來監聽空氣中傳輸的封包,指令如下:
$ tcpdump -ne -y ieee802_11_radio -i wlan0-1此指令會抓取所有聽到的封包,結果顯示於下圖。
若我們需要抓取某一個特殊裝置的封包,可以藉由grep指令來找到相對應的MAC位址的裝置。除了顯示監聽到的封包於螢幕上,我們也可以透過指令把看到的封包資訊存下來,指令如下:
$ tcpdump -ne -y ieee802_11_radio -i wlan0-1 –w capture_dump其中,capture_dump 為檔案名稱,其格式為 TSFS 和 Wireshark 一致,因此存下來的檔案也可以用 Wireshark 打開進行進一步的分析。
Wireshark 是一個免費開源的網路封包分析軟體,可以用來監聽有線 (Ethernet)、無線 (WiFi、bluetooth) 等封包。Wireshark 會按時間列出所收到的封包,並且提供過濾封包的功能。可以在此下載: https://www.wireshark.org/download.html
我們也提供一個在之前實驗時 tcpdump 下來的檔案,可以先用 Wireshark 打開來看看監聽到的封包格式。 在此下載:
tcpdump 的封包類型
觀察一下所擷取的封包,可以分成3類,第一種是 RTS、CTS 等控制訊號封包,所含有的資訊包括 RSSI、傳送速率、使用頻帶、MAC位址等,如下所示:
18:00:21.406991 10748606476us tsft 24.0 Mb/s 2412 MHz 11g -69dB signal [bit 29]
11:63 TA:00:22:2d:80:1f:30 Request-To-Send
18:00:21.406991 10748606476us tsft 24.0 Mb/s 2412 MHz 11g -69dB signal [bit 29] RA:00:22:2d:80:1f:30 Clear-To-Send
18:00:21.407000 10748606615us tsft 24.0 Mb/s 2412 MHz 11g -69dB signal [bit 29] RA:00:22:2d:80:1f:30 BA
18:00:21.407010 10748606807us tsft 12.0 Mb/s 2412 MHz 11g -76dB signal [bit 29] RA:e4:95:6e:44:82:6b Acknowledgment第二種是一般資料的封包,在此類封包中,可以看到 RSSI、MCS mode、使用頻帶、傳輸頻寬、MAC位址等,至於 antenna 0 則是對應至真實傳送的天線編號。
18:00:21.349734 10748546713us tsft 2412 MHz 11g antenna 0 26.0 Mb/s MCS 3 20 MHz lon GI RX-STBC0 [bit 20] CF +QoS BSSID:00:22:2d:80:1f:30 SA:94:e9:79:d0:11:63 DA:00:22:2d:80:1f:30 Data IV:efd7 Pad 20 KeyID 0
18:00:21.349769 10748549498us tsft 2412 MHz 11g -70dB signal 26.0 Mb/s MCS 3 20 MHz lon GI RX-STBC0 [bit 20] CF +QoS BSSID:00:22:2d:80:1f:30 SA:94:e9:79:d0:11:63 DA:00:22:2d:80:1f:30 Data IV:efd8 Pad 20 KeyID 0最後一種是 AP 所發出的 Beacon 封包,可以看到此 AP 的無線網路設定,包括使用的 SSID、傳送協定、支援的傳輸速率以及加密的方式。
18:00:21.460528 10748657838us tsft 1.0 Mb/s 2412 MHz 11b -76dB signal [bit 29] BSSID:00:22:2d:80:1f:30 DA:ff:ff:ff:ff:ff:ff SA:00:22:2d:80:1f:30 Beacon (MBWCL711) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] ESS CH: 1, PRIVACY監聽封包的驗證
在後續的實驗中,我們發現有些時候當裝置使用 2.4GHz 傳輸時,5GHz 的網卡也會收到封包的 RSSI 數值,這樣的結果和我們的經驗不符合,因為 2.4GHz 和 5GHz 的頻率不同,理論上不同的網卡應該無法聽到對應頻率之外的封包。為了驗證這個現象,我們建立一個測試環境,將裝置和 WiFi AP 在 5GHz 上連線,並同時在 WiFi AP 上的 5GHz 和 2.4GHz 網卡上進行封包監聽,以下為 5GHz 網卡監聽約 1 分鐘後的結果 (只擷取最後的部分):
12:58:06.267229 2846682110us tsft 5180 MHz 11a -78dBm signal User 0 MCS 3 BCC FEC 80 MHz short GI -78dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype IPv4 (0x0800), length 135: 192.168.9.137.39329 > 47.97.127.178.443: Flags [P.], seq 1163:1258, ack 9240, win 443, length 95
12:58:06.267461 2846682279us tsft 24.0 Mb/s 5180 MHz 11a -71dBm signal -71dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:06.394818 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0
12:58:06.395007 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0
12:58:06.396551 2846811179us tsft 24.0 Mb/s 5180 MHz 11a -72dBm signal -72dBm signal antenna 0 -73dBm signal antenna 2 RA:e6:95:6e:4b:3f:15 TA:80:7a:bf:6d:a0:37 Request-To-Send
12:58:06.396600 2846811289us tsft 5180 MHz 11a -72dBm signal User 0 MCS 3 BCC FEC 80 MHz short GI -72dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype IPv4 (0x0800), length 40: 192.168.9.137.39329 > 47.97.127.178.443: Flags [.], ack 10550, win 454, length 0
12:58:06.396835 2846811605us tsft 24.0 Mb/s 5180 MHz 11a -73dBm signal -73dBm signal antenna 0 -73dBm signal antenna 2 RA:e6:95:6e:4b:3f:15 TA:80:7a:bf:6d:a0:37 Request-To-Send
12:58:06.396871 2846811716us tsft 5180 MHz 11a -72dBm signal User 0 MCS 3 BCC FEC 80 MHz short GI -72dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype IPv4 (0x0800), length 40: 192.168.9.137.39329 > 47.97.127.178.443: Flags [.], ack 11015, win 465, length 0
12:58:06.603952 2847018805us tsft 24.0 Mb/s 5180 MHz 11a -70dBm signal -70dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:06.760307 2847175179us tsft 24.0 Mb/s 5180 MHz 11a -69dBm signal -69dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:06.692555 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0
12:58:06.966700 2847381563us tsft 24.0 Mb/s 5180 MHz 11a -71dBm signal -71dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:09.219358 2849634177us tsft 24.0 Mb/s 5180 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:09.079020 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0
12:58:09.221624 2849636465us tsft 24.0 Mb/s 5180 MHz 11a -70dBm signal -70dBm signal antenna 0 -73dBm signal antenna 2 RA:e6:95:6e:4b:3f:15 TA:80:7a:bf:6d:a0:37 Request-To-Send
12:58:09.221742 2849636574us tsft 5180 MHz 11a -70dBm signal User 0 MCS 3 BCC FEC 80 MHz short GI -70dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype IPv4 (0x0800), length 52: 192.168.9.137.33787 > 104.80.224.79.443: Flags [.], ack 2, win 343, options [nop,nop,TS val 229832258 ecr 3221129800], length 0
12:58:09.425759 2849840584us tsft 24.0 Mb/s 5180 MHz 11a -68dBm signal -68dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:11.472151 2851886955us tsft 24.0 Mb/s 5180 MHz 11a -64dBm signal -64dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:11.472419 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0
12:58:11.472559 2851887379us tsft 24.0 Mb/s 5180 MHz 11a -72dBm signal -72dBm signal antenna 0 -73dBm signal antenna 2 RA:e6:95:6e:4b:3f:15 TA:80:7a:bf:6d:a0:37 Request-To-Send
^C5239 packets captured
5244 packets received by filter
0 packets dropped by kernel
real 0m 49.66s
user 0m 0.38s
sys 0m 0.13s以下為不應該聽到封包的 2.4GHz 網卡的結果:
root@GL-AR750S:~# time tcpdump -ne -y ieee802_11_radio -i wlan1-1 | grep "80:7a:bf:6d:a0:37"
tcpdump: data link type ieee802_11_radio
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan1-1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
12:57:58.926931 170343951982us tsft 1.0 Mb/s 2412 MHz 11b -72dBm signal -71dBm signal antenna 0 -73dBm signal antenna 1 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [1.0 2.0 5.5 11.0 Mbit]
12:57:58.929231 170343953162us tsft 1.0 Mb/s 2412 MHz 11b -29dBm signal -29dBm signal antenna 0 -46dBm signal antenna 1 BSSID:00:22:2d:80:1f:30 DA:80:7a:bf:6d:a0:37 SA:00:22:2d:80:1f:30 Probe Response (MBWCL711) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] CH: 1, PRIVACY
12:57:58.948179 170343973244us tsft 1.0 Mb/s 2412 MHz 11b -68dBm signal -70dBm signal antenna 0 -75dBm signal antenna 1 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [1.0 2.0 5.5 11.0 Mbit]
12:57:58.958762 170343982714us tsft 1.0 Mb/s 2412 MHz 11b -34dBm signal -36dBm signal antenna 0 -40dBm signal antenna 1 BSSID:00:22:2d:80:1f:30 DA:80:7a:bf:6d:a0:37 SA:00:22:2d:80:1f:30 Probe Response (MBWCL711) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] CH: 1, PRIVACY
12:57:58.964932 170343987738us tsft 1.0 Mb/s 2412 MHz 11b -59dBm signal -60dBm signal antenna 0 -66dBm signal antenna 1 BSSID:ac:22:0b:31:3b:48 DA:80:7a:bf:6d:a0:37 SA:ac:22:0b:31:3b:48 Probe Response (Research_AP3) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] CH: 1, PRIVACY
12:57:58.967503 170343991440us tsft 1.0 Mb/s 2412 MHz 11b -39dBm signal -43dBm signal antenna 0 -41dBm signal antenna 1 BSSID:00:22:2d:80:1f:30 DA:80:7a:bf:6d:a0:37 SA:00:22:2d:80:1f:30 Probe Response (MBWCL711) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] CH: 1, PRIVACY
12:57:58.977716 170344001573us tsft 1.0 Mb/s 2412 MHz 11b -74dBm signal -75dBm signal antenna 0 -81dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:58.980366 170344004247us tsft 1.0 Mb/s 2412 MHz 11b -75dBm signal -76dBm signal antenna 0 -80dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:58.982985 170344006866us tsft 1.0 Mb/s 2412 MHz 11b -76dBm signal -77dBm signal antenna 0 -81dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:58.985580 170344009459us tsft 1.0 Mb/s 2412 MHz 11b -76dBm signal -77dBm signal antenna 0 -80dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:58.988407 170344012271us tsft 1.0 Mb/s 2412 MHz 11b -75dBm signal -77dBm signal antenna 0 -79dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:58.991497 170344015376us tsft 1.0 Mb/s 2412 MHz 11b -77dBm signal -78dBm signal antenna 0 -82dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:59.000064 170344023930us tsft 1.0 Mb/s 2412 MHz 11b -77dBm signal -80dBm signal antenna 0 -80dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:59.002687 170344026566us tsft 1.0 Mb/s 2412 MHz 11b -75dBm signal -76dBm signal antenna 0 -83dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:59.005690 170344029570us tsft 1.0 Mb/s 2412 MHz 11b -74dBm signal -75dBm signal antenna 0 -82dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:59.017925 170344041796us tsft 1.0 Mb/s 2412 MHz 11b -75dBm signal -76dBm signal antenna 0 -80dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
^C40740 packets captured
40764 packets received by filter
0 packets dropped by kernel
real 0m 50.49s
user 0m 2.89s
sys 0m 0.79s我們可以看到此時網卡收到的封包都是 Probe Response 以及 Probe Request 兩種封包格式,相同的結果也會發生在我們使用 2.4GHz 上連線 (如以下擷取的內容),並在 5GHz 上監聽的結果。
13:06:56.917849 170881943093us tsft 11.0 Mb/s 2412 MHz 11b -58dBm signal -60dBm signal antenna 0 -61dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:14
13:06:56.945032 170881970363us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -60dBm signal antenna 0 -60dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:56.947912 170881973378us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -60dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:56.948732 170881974059us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -60dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:56.948770 170881974253us tsft 2412 MHz 11n -69dBm signal 81.0 Mb/s MCS 4 40 MHz long GI RX-STBC0 -69dBm signal antenna 0 -71dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:147 Pad 20 KeyID 0
13:06:57.013132 170882038478us tsft short preamble 11.0 Mb/s 2412 MHz 11b -55dBm signal -60dBm signal antenna 0 -57dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:57.016375 170882041627us tsft short preamble 11.0 Mb/s 2412 MHz 11b -56dBm signal -60dBm signal antenna 0 -58dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:57.016960 170882042297us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -59dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:57.016986 170882042420us tsft 2412 MHz 11n antenna 0 90.0 Mb/s MCS 4 40 MHz short GI RX-STBC0 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:148 Pad 20 KeyID 0
13:06:57.017161 170882042502us tsft 2412 MHz 11n -67dBm signal 81.0 Mb/s MCS 4 40 MHz long GI RX-STBC0 -69dBm signal antenna 0 -68dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:149 Pad 20 KeyID 0
13:06:57.017613 170882042872us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -59dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:57.018169 170882043511us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -59dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:57.018820 170882044149us tsft short preamble 11.0 Mb/s 2412 MHz 11b -56dBm signal -60dBm signal antenna 0 -59dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:57.018848 170882044346us tsft 2412 MHz 11n -68dBm signal 81.0 Mb/s MCS 4 40 MHz long GI RX-STBC0 -70dBm signal antenna 0 -69dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:14a Pad 20 KeyID 0
13:06:57.231276 170882256516us tsft 11.0 Mb/s 2412 MHz 11b -58dBm signal -68dBm signal antenna 0 -58dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:14
13:07:02.248873 170887274115us tsft 11.0 Mb/s 2412 MHz 11b -53dBm signal -55dBm signal antenna 0 -57dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:14
13:07:02.252793 170887278111us tsft short preamble 11.0 Mb/s 2412 MHz 11b -51dBm signal -53dBm signal antenna 0 -55dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:07:02.252831 170887278303us tsft 2412 MHz 11n -62dBm signal 150.0 Mb/s MCS 7 40 MHz short GI RX-STBC0 -63dBm signal antenna 0 -66dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:14b Pad 20 KeyID 0
13:07:02.454191 170887479414us tsft 11.0 Mb/s 2412 MHz 11b -50dBm signal -53dBm signal antenna 0 -54dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:14
^C35683 packets captured
35757 packets received by filter
0 packets dropped by kernel
real 1m 12.36s
user 0m 2.53s
sys 0m 0.58s以下為在 5GHz 網卡上收到的封包數值,也是 Probe Response 以及 Probe Request 兩種封包格式。
root@GL-AR750S:~# time tcpdump -ne -y ieee802_11_radio -i wlan0-1 | grep "80:7a:bf:6d:a0:37"
tcpdump: data link type ieee802_11_radio
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0-1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
13:06:06.202680 3326612368us tsft 6.0 Mb/s 5180 MHz 11a -62dBm signal -62dBm signal antenna 0 -73dBm signal antenna 2 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit]
13:06:06.203618 6.0 Mb/s [bit 15] BSSID:e6:95:6e:4b:3f:15 DA:80:7a:bf:6d:a0:37 SA:e6:95:6e:4b:3f:15 Probe Response (GL-AR750S-5G) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] CH: 36, PRIVACY
13:06:06.222227 3326631936us tsft 6.0 Mb/s 5180 MHz 11a -60dBm signal -60dBm signal antenna 0 -73dBm signal antenna 2 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit]
13:06:06.223162 6.0 Mb/s [bit 15] BSSID:e6:95:6e:4b:3f:15 DA:80:7a:bf:6d:a0:37 SA:e6:95:6e:4b:3f:15 Probe Response (GL-AR750S-5G) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] CH: 36, PRIVACY
13:06:56.277819 3376687217us tsft 6.0 Mb/s 5180 MHz 11a -62dBm signal -62dBm signal antenna 0 -73dBm signal antenna 2 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit]
13:06:56.278265 6.0 Mb/s [bit 15] BSSID:e6:95:6e:4b:3f:15 DA:80:7a:bf:6d:a0:37 SA:e6:95:6e:4b:3f:15 Probe Response (GL-AR750S-5G) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] CH: 36, PRIVACY
13:06:56.297331 3376707153us tsft 6.0 Mb/s 5180 MHz 11a -63dBm signal -63dBm signal antenna 0 -73dBm signal antenna 2 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit]
13:06:56.298268 6.0 Mb/s [bit 15] BSSID:e6:95:6e:4b:3f:15 DA:80:7a:bf:6d:a0:37 SA:e6:95:6e:4b:3f:15 Probe Response (GL-AR750S-5G) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] CH: 36, PRIVACY
^C889 packets captured
901 packets received by filter
0 packets dropped by kernel
real 1m 6.30s
user 0m 0.10s
sys 0m 0.04s[ 2018/12/3更新 ] 除了 Probe 封包之外,發現還有另一種側聽到的封包,如下所示:
root@GL-AR750S:~# tcpdump -ne -y ieee802_11_radio -i wlan0-1 | grep c4:85:08:9e:41:ca
tcpdump: data link type ieee802_11_radio
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0-1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
14:40:53.860924 3791715165us tsft 6.0 Mb/s 5200 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 DA:01:00:5e:7f:ff:fa BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c3f3 Pad 20 KeyID 1
14:40:54.679489 3792534340us tsft 6.0 Mb/s 5200 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 DA:01:00:5e:7f:ff:fa BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c3fc Pad 20 KeyID 1
14:40:55.703192 3793558340us tsft 6.0 Mb/s 5200 MHz 11a -66dBm signal -66dBm signal antenna 0 -73dBm signal antenna 2 DA:01:00:5e:7f:ff:fa BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c407 Pad 20 KeyID 1
14:40:56.727270 3794582389us tsft 6.0 Mb/s 5200 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 DA:01:00:5e:7f:ff:fa BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c412 Pad 20 KeyID 1
14:41:13.725938 3811580818us tsft 6.0 Mb/s 5200 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 DA:ff:ff:ff:ff:ff:ff BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c4bf Pad 20 KeyID 1
14:41:44.036897 3841891583us tsft 6.0 Mb/s 5200 MHz 11a -66dBm signal -66dBm signal antenna 0 -73dBm signal antenna 2 DA:ff:ff:ff:ff:ff:ff BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c5ea Pad 20 KeyID 1其中,目標裝置的 MAC 位址為: c4:85:08:9e:41:ca,發送端的 MAC 位址為 e6:95:6e:45:a0:d9,為 5GHz (802.11ac) 的網卡,同時,所使用的頻帶為 5200 MHz (5.2 GHz) 也符合 802.11ac 的設定,應該可以確定這個封包的確是 802.11ac 的封包。以下是網卡的資訊 (刪去 monitor 網卡的的資訊)。
root@GL-AR750S:~# iwinfo
wlan0 ESSID: "WiSDON-5G-824"
Access Point: E6:95:6E:45:A0:D9
Mode: Master Channel: 40 (5.200 GHz)
Tx-Power: 20 dBm Link Quality: unknown/70
Signal: unknown Noise: -96 dBm
Bit Rate: unknown
Encryption: mixed WPA/WPA2 PSK (CCMP)
Type: nl80211 HW Mode(s): 802.11nac
Hardware: 168C:0050 0000:0000 [Generic MAC80211]
TX power offset: unknown
Frequency offset: unknown
Supports VAPs: yes PHY name: phy0
wlan1 ESSID: "WiSDON-2.4G-824"
Access Point: E6:95:6E:45:A0:D8
Mode: Master Channel: 6 (2.437 GHz)
Tx-Power: 20 dBm Link Quality: unknown/70
Signal: unknown Noise: -85 dBm
Bit Rate: unknown
Encryption: mixed WPA/WPA2 PSK (CCMP)
Type: nl80211 HW Mode(s): 802.11bgn
Hardware: unknown [Generic MAC80211]
TX power offset: unknown
Frequency offset: unknown
Supports VAPs: yes PHY name: phy1接著我們來檢查此封包的格式,發現都是 DA: ~ BSSID: ~ SA: ~ 的格式,此時, To DS = 0,From DS = 1,換句話說,此封包來自 WLAN 網路之外,可能是一個被誤傳的封包,雖然接收端沒有接收能力,但也被 5GHz 的網卡監聽到。同時,我們也可以看到,此時的監聽到的封包中,不包含 ACK 的封包也不含從裝置端傳出的上行封包,因此,應該是誤送的封包被監聽到的結果。
Last updated
