實驗: 虛擬監聽網卡並取得 RSSI

建立一張虛擬網卡, 並監聽空氣中的 WiFi 封包取得 RSSI 的數值

為了能夠監聽空氣中 WiFi 的無線封包，我們需要完成以下兩件事情:

1. 虛擬一張 monitor 模式的無線網卡

2. 安裝 tcpdump 來取得封包資訊

虛擬一張 monitor 模式的無線網卡

在 OpenWRT 中，網卡的設定在 /etc/config/wireless在這份文件中，如下所示。

config wifi-device 'radio0'
        	option type 'mac80211'
        	option path 'platform/qca953x_wmac'
        	option htmode 'HT20'
        	option hwmode '11ng'
        	option txpower '20'
        	option channel '1'

config wifi-iface
        	option device 'radio0'
        	option network 'lan'
        	option mode 'ap'
        	option ssid 'GL-AR300M-26b'
        	option encryption 'psk-mixed'
        	option key 'goodlife'
        	option wds '1'
        	option ifname 'wlan0'

config wifi-iface 'sta'
 		    option device 'radio0'
       	    option ifname 'wlan-sta'
        	option network 'wwan'
        	option mode 'sta'
       	    option ssid 'MBWCL711'
     	    option key '140.113.144.123'
        	option encryption 'psk2'

config wifi-iface
        	option device 'radio0'
        	option mode 'monitor'

在該文件中，首先會先定義網卡裝置 (wifi-device) 開始，在這裡，我們可以看到一些常用的無線網路設定如: 使用頻帶 (channel)、傳送功率 (txpower)、傳送協定 (hwmode) 等。

一張網卡裝置可以被定義為多種介面，舉例來說，這張無線網卡就已經設定為兩種不同的模式: AP 和 STA。 這是因為我們把該裝置 (作為STA) 連上實驗室的無線網路，取得網路連線，並利用其無線網路作為 WiFi AP連到Internet的網路。此時，網路運作就像是一個擴展器一樣。

為了能夠偷聽 WiFi 封包，我們額外虛擬了一張網卡，作為監聽模式 (monitor)。根據測試，若是要使用 tcpdump 的指令監聽封包，該網卡必須運作在 monitor 模式，STA 或是 AP 模式都不支援。

透過 iwinfo (對應於舊版的 iwconfig)，我們可以看到這些虛擬網卡在Linux系統下的狀態，主要是要查詢無線網卡在系統中的名稱。透過查詢，我們可以看到一共有三個不同的裝置: wlan-sta、wlan0、 wln0-1，對應於 STA 模式、AP 模式和 monitor 模式。

iwinfo (用以顯示目前無線網卡設定)

在更改完設定後，我們可以透過輸入指令wifi來重新設定無線網路

WiFi 除了 AP 與 user (STA) 模式之外，還有其他幾個較不常見的模式。而這些模式的支援與否通常取決於Wi-Fi網卡與其驅動程式，以下為一些簡單說明:

• Master mode (AP): 提供無線接取的模式

• Managed mode (station, user): 連結到AP的裝置

• Monitor mode: 接收所有封包，但不傳送任何封包

• Ad-Hoc、Secondary、Repeater…

tcpdump 安裝

tcpdump 是一套類似於 Wireshark 的軟體，可以用以抓取封包，並記錄下封包資訊。在 chaos calmer 以及之後的版本中，tcpdump 可以直接透過 opkg 安裝。

opkg update
opkg install tcpdump

考慮到之前的網卡設定，我們就可以透過 tcpdump 來監聽空氣中傳輸的封包，指令如下:

$ tcpdump -ne -y ieee802_11_radio -i wlan0-1

此指令會抓取所有聽到的封包，結果顯示於下圖。

tcpdump

若我們需要抓取某一個特殊裝置的封包，可以藉由grep指令來找到相對應的MAC位址的裝置。除了顯示監聽到的封包於螢幕上，我們也可以透過指令把看到的封包資訊存下來，指令如下:

$ tcpdump -ne -y ieee802_11_radio -i wlan0-1 –w capture_dump

其中，capture_dump 為檔案名稱，其格式為 TSFS 和 Wireshark 一致，因此存下來的檔案也可以用 Wireshark 打開進行進一步的分析。

Wireshark讀取結果

Wireshark 是一個免費開源的網路封包分析軟體，可以用來監聽有線 (Ethernet)、無線 (WiFi、bluetooth) 等封包。Wireshark 會按時間列出所收到的封包，並且提供過濾封包的功能。可以在此下載: https://www.wireshark.org/download.html

我們也提供一個在之前實驗時 tcpdump 下來的檔案，可以先用 Wireshark 打開來看看監聽到的封包格式。 在此下載:

2MB

capture_dump

Open

tcpdump紀錄檔案

tcpdump 的封包類型

觀察一下所擷取的封包，可以分成3類，第一種是 RTS、CTS 等控制訊號封包，所含有的資訊包括 RSSI、傳送速率、使用頻帶、MAC位址等，如下所示:

18:00:21.406991 10748606476us tsft 24.0 Mb/s 2412 MHz 11g -69dB signal [bit 29]
11:63 TA:00:22:2d:80:1f:30 Request-To-Send
18:00:21.406991 10748606476us tsft 24.0 Mb/s 2412 MHz 11g -69dB signal [bit 29] RA:00:22:2d:80:1f:30 Clear-To-Send
18:00:21.407000 10748606615us tsft 24.0 Mb/s 2412 MHz 11g -69dB signal [bit 29] RA:00:22:2d:80:1f:30 BA
18:00:21.407010 10748606807us tsft 12.0 Mb/s 2412 MHz 11g -76dB signal [bit 29] RA:e4:95:6e:44:82:6b Acknowledgment

第二種是一般資料的封包，在此類封包中，可以看到 RSSI、MCS mode、使用頻帶、傳輸頻寬、MAC位址等，至於 antenna 0 則是對應至真實傳送的天線編號。

18:00:21.349734 10748546713us tsft 2412 MHz 11g antenna 0 26.0 Mb/s MCS 3 20 MHz lon GI RX-STBC0 [bit 20] CF +QoS BSSID:00:22:2d:80:1f:30 SA:94:e9:79:d0:11:63 DA:00:22:2d:80:1f:30 Data IV:efd7 Pad 20 KeyID 0
18:00:21.349769 10748549498us tsft 2412 MHz 11g -70dB signal 26.0 Mb/s MCS 3 20 MHz lon GI RX-STBC0 [bit 20] CF +QoS BSSID:00:22:2d:80:1f:30 SA:94:e9:79:d0:11:63 DA:00:22:2d:80:1f:30 Data IV:efd8 Pad 20 KeyID 0

最後一種是 AP 所發出的 Beacon 封包，可以看到此 AP 的無線網路設定，包括使用的 SSID、傳送協定、支援的傳輸速率以及加密的方式。

18:00:21.460528 10748657838us tsft 1.0 Mb/s 2412 MHz 11b -76dB signal [bit 29] BSSID:00:22:2d:80:1f:30 DA:ff:ff:ff:ff:ff:ff SA:00:22:2d:80:1f:30 Beacon (MBWCL711) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] ESS CH: 1, PRIVACY

監聽封包的驗證

在後續的實驗中，我們發現有些時候當裝置使用 2.4GHz 傳輸時，5GHz 的網卡也會收到封包的 RSSI 數值，這樣的結果和我們的經驗不符合，因為 2.4GHz 和 5GHz 的頻率不同，理論上不同的網卡應該無法聽到對應頻率之外的封包。為了驗證這個現象，我們建立一個測試環境，將裝置和 WiFi AP 在 5GHz 上連線，並同時在 WiFi AP 上的 5GHz 和 2.4GHz 網卡上進行封包監聽，以下為 5GHz 網卡監聽約 1 分鐘後的結果 (只擷取最後的部分):

12:58:06.267229 2846682110us tsft 5180 MHz 11a -78dBm signal User 0 MCS 3 BCC FEC 80 MHz short GI -78dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype IPv4 (0x0800), length 135: 192.168.9.137.39329 > 47.97.127.178.443: Flags [P.], seq 1163:1258, ack 9240, win 443, length 95
12:58:06.267461 2846682279us tsft 24.0 Mb/s 5180 MHz 11a -71dBm signal -71dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:06.394818 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0
12:58:06.395007 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0
12:58:06.396551 2846811179us tsft 24.0 Mb/s 5180 MHz 11a -72dBm signal -72dBm signal antenna 0 -73dBm signal antenna 2 RA:e6:95:6e:4b:3f:15 TA:80:7a:bf:6d:a0:37 Request-To-Send
12:58:06.396600 2846811289us tsft 5180 MHz 11a -72dBm signal User 0 MCS 3 BCC FEC 80 MHz short GI -72dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype IPv4 (0x0800), length 40: 192.168.9.137.39329 > 47.97.127.178.443: Flags [.], ack 10550, win 454, length 0
12:58:06.396835 2846811605us tsft 24.0 Mb/s 5180 MHz 11a -73dBm signal -73dBm signal antenna 0 -73dBm signal antenna 2 RA:e6:95:6e:4b:3f:15 TA:80:7a:bf:6d:a0:37 Request-To-Send
12:58:06.396871 2846811716us tsft 5180 MHz 11a -72dBm signal User 0 MCS 3 BCC FEC 80 MHz short GI -72dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype IPv4 (0x0800), length 40: 192.168.9.137.39329 > 47.97.127.178.443: Flags [.], ack 11015, win 465, length 0
12:58:06.603952 2847018805us tsft 24.0 Mb/s 5180 MHz 11a -70dBm signal -70dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:06.760307 2847175179us tsft 24.0 Mb/s 5180 MHz 11a -69dBm signal -69dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:06.692555 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0
12:58:06.966700 2847381563us tsft 24.0 Mb/s 5180 MHz 11a -71dBm signal -71dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:09.219358 2849634177us tsft 24.0 Mb/s 5180 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:09.079020 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0
12:58:09.221624 2849636465us tsft 24.0 Mb/s 5180 MHz 11a -70dBm signal -70dBm signal antenna 0 -73dBm signal antenna 2 RA:e6:95:6e:4b:3f:15 TA:80:7a:bf:6d:a0:37 Request-To-Send
12:58:09.221742 2849636574us tsft 5180 MHz 11a -70dBm signal User 0 MCS 3 BCC FEC 80 MHz short GI -70dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype IPv4 (0x0800), length 52: 192.168.9.137.33787 > 104.80.224.79.443: Flags [.], ack 2, win 343, options [nop,nop,TS val 229832258 ecr 3221129800], length 0
12:58:09.425759 2849840584us tsft 24.0 Mb/s 5180 MHz 11a -68dBm signal -68dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:11.472151 2851886955us tsft 24.0 Mb/s 5180 MHz 11a -64dBm signal -64dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15
12:58:11.472419 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0
12:58:11.472559 2851887379us tsft 24.0 Mb/s 5180 MHz 11a -72dBm signal -72dBm signal antenna 0 -73dBm signal antenna 2 RA:e6:95:6e:4b:3f:15 TA:80:7a:bf:6d:a0:37 Request-To-Send
^C5239 packets captured
5244 packets received by filter
0 packets dropped by kernel
real    0m 49.66s
user    0m 0.38s
sys     0m 0.13s

以下為不應該聽到封包的 2.4GHz 網卡的結果:

root@GL-AR750S:~# time tcpdump -ne -y ieee802_11_radio -i wlan1-1 | grep "80:7a:bf:6d:a0:37"
tcpdump: data link type ieee802_11_radio
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan1-1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
12:57:58.926931 170343951982us tsft 1.0 Mb/s 2412 MHz 11b -72dBm signal -71dBm signal antenna 0 -73dBm signal antenna 1 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [1.0 2.0 5.5 11.0 Mbit]
12:57:58.929231 170343953162us tsft 1.0 Mb/s 2412 MHz 11b -29dBm signal -29dBm signal antenna 0 -46dBm signal antenna 1 BSSID:00:22:2d:80:1f:30 DA:80:7a:bf:6d:a0:37 SA:00:22:2d:80:1f:30 Probe Response (MBWCL711) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] CH: 1, PRIVACY
12:57:58.948179 170343973244us tsft 1.0 Mb/s 2412 MHz 11b -68dBm signal -70dBm signal antenna 0 -75dBm signal antenna 1 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [1.0 2.0 5.5 11.0 Mbit]
12:57:58.958762 170343982714us tsft 1.0 Mb/s 2412 MHz 11b -34dBm signal -36dBm signal antenna 0 -40dBm signal antenna 1 BSSID:00:22:2d:80:1f:30 DA:80:7a:bf:6d:a0:37 SA:00:22:2d:80:1f:30 Probe Response (MBWCL711) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] CH: 1, PRIVACY
12:57:58.964932 170343987738us tsft 1.0 Mb/s 2412 MHz 11b -59dBm signal -60dBm signal antenna 0 -66dBm signal antenna 1 BSSID:ac:22:0b:31:3b:48 DA:80:7a:bf:6d:a0:37 SA:ac:22:0b:31:3b:48 Probe Response (Research_AP3) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] CH: 1, PRIVACY
12:57:58.967503 170343991440us tsft 1.0 Mb/s 2412 MHz 11b -39dBm signal -43dBm signal antenna 0 -41dBm signal antenna 1 BSSID:00:22:2d:80:1f:30 DA:80:7a:bf:6d:a0:37 SA:00:22:2d:80:1f:30 Probe Response (MBWCL711) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] CH: 1, PRIVACY
12:57:58.977716 170344001573us tsft 1.0 Mb/s 2412 MHz 11b -74dBm signal -75dBm signal antenna 0 -81dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:58.980366 170344004247us tsft 1.0 Mb/s 2412 MHz 11b -75dBm signal -76dBm signal antenna 0 -80dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:58.982985 170344006866us tsft 1.0 Mb/s 2412 MHz 11b -76dBm signal -77dBm signal antenna 0 -81dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:58.985580 170344009459us tsft 1.0 Mb/s 2412 MHz 11b -76dBm signal -77dBm signal antenna 0 -80dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:58.988407 170344012271us tsft 1.0 Mb/s 2412 MHz 11b -75dBm signal -77dBm signal antenna 0 -79dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:58.991497 170344015376us tsft 1.0 Mb/s 2412 MHz 11b -77dBm signal -78dBm signal antenna 0 -82dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:59.000064 170344023930us tsft 1.0 Mb/s 2412 MHz 11b -77dBm signal -80dBm signal antenna 0 -80dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:59.002687 170344026566us tsft 1.0 Mb/s 2412 MHz 11b -75dBm signal -76dBm signal antenna 0 -83dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:59.005690 170344029570us tsft 1.0 Mb/s 2412 MHz 11b -74dBm signal -75dBm signal antenna 0 -82dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
12:57:59.017925 170344041796us tsft 1.0 Mb/s 2412 MHz 11b -75dBm signal -76dBm signal antenna 0 -80dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY
^C40740 packets captured
40764 packets received by filter
0 packets dropped by kernel
real    0m 50.49s
user    0m 2.89s
sys     0m 0.79s

我們可以看到此時網卡收到的封包都是 Probe Response 以及 Probe Request 兩種封包格式，相同的結果也會發生在我們使用 2.4GHz 上連線 (如以下擷取的內容)，並在 5GHz 上監聽的結果。

13:06:56.917849 170881943093us tsft 11.0 Mb/s 2412 MHz 11b -58dBm signal -60dBm signal antenna 0 -61dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:14
13:06:56.945032 170881970363us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -60dBm signal antenna 0 -60dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:56.947912 170881973378us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -60dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:56.948732 170881974059us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -60dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:56.948770 170881974253us tsft 2412 MHz 11n -69dBm signal 81.0 Mb/s MCS 4 40 MHz long GI RX-STBC0 -69dBm signal antenna 0 -71dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:147 Pad 20 KeyID 0
13:06:57.013132 170882038478us tsft short preamble 11.0 Mb/s 2412 MHz 11b -55dBm signal -60dBm signal antenna 0 -57dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:57.016375 170882041627us tsft short preamble 11.0 Mb/s 2412 MHz 11b -56dBm signal -60dBm signal antenna 0 -58dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:57.016960 170882042297us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -59dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:57.016986 170882042420us tsft 2412 MHz 11n antenna 0 90.0 Mb/s MCS 4 40 MHz short GI RX-STBC0 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:148 Pad 20 KeyID 0
13:06:57.017161 170882042502us tsft 2412 MHz 11n -67dBm signal 81.0 Mb/s MCS 4 40 MHz long GI RX-STBC0 -69dBm signal antenna 0 -68dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:149 Pad 20 KeyID 0
13:06:57.017613 170882042872us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -59dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:57.018169 170882043511us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -59dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:57.018820 170882044149us tsft short preamble 11.0 Mb/s 2412 MHz 11b -56dBm signal -60dBm signal antenna 0 -59dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:06:57.018848 170882044346us tsft 2412 MHz 11n -68dBm signal 81.0 Mb/s MCS 4 40 MHz long GI RX-STBC0 -70dBm signal antenna 0 -69dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:14a Pad 20 KeyID 0
13:06:57.231276 170882256516us tsft 11.0 Mb/s 2412 MHz 11b -58dBm signal -68dBm signal antenna 0 -58dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:14
13:07:02.248873 170887274115us tsft 11.0 Mb/s 2412 MHz 11b -53dBm signal -55dBm signal antenna 0 -57dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:14
13:07:02.252793 170887278111us tsft short preamble 11.0 Mb/s 2412 MHz 11b -51dBm signal -53dBm signal antenna 0 -55dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send
13:07:02.252831 170887278303us tsft 2412 MHz 11n -62dBm signal 150.0 Mb/s MCS 7 40 MHz short GI RX-STBC0 -63dBm signal antenna 0 -66dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:14b Pad 20 KeyID 0
13:07:02.454191 170887479414us tsft 11.0 Mb/s 2412 MHz 11b -50dBm signal -53dBm signal antenna 0 -54dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:14
^C35683 packets captured
35757 packets received by filter
0 packets dropped by kernel
real    1m 12.36s
user    0m 2.53s
sys     0m 0.58s

以下為在 5GHz 網卡上收到的封包數值，也是 Probe Response 以及 Probe Request 兩種封包格式。

root@GL-AR750S:~# time tcpdump -ne -y ieee802_11_radio -i wlan0-1 | grep "80:7a:bf:6d:a0:37"
tcpdump: data link type ieee802_11_radio
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0-1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
13:06:06.202680 3326612368us tsft 6.0 Mb/s 5180 MHz 11a -62dBm signal -62dBm signal antenna 0 -73dBm signal antenna 2 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit]
13:06:06.203618 6.0 Mb/s [bit 15] BSSID:e6:95:6e:4b:3f:15 DA:80:7a:bf:6d:a0:37 SA:e6:95:6e:4b:3f:15 Probe Response (GL-AR750S-5G) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] CH: 36, PRIVACY
13:06:06.222227 3326631936us tsft 6.0 Mb/s 5180 MHz 11a -60dBm signal -60dBm signal antenna 0 -73dBm signal antenna 2 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit]
13:06:06.223162 6.0 Mb/s [bit 15] BSSID:e6:95:6e:4b:3f:15 DA:80:7a:bf:6d:a0:37 SA:e6:95:6e:4b:3f:15 Probe Response (GL-AR750S-5G) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] CH: 36, PRIVACY
13:06:56.277819 3376687217us tsft 6.0 Mb/s 5180 MHz 11a -62dBm signal -62dBm signal antenna 0 -73dBm signal antenna 2 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit]
13:06:56.278265 6.0 Mb/s [bit 15] BSSID:e6:95:6e:4b:3f:15 DA:80:7a:bf:6d:a0:37 SA:e6:95:6e:4b:3f:15 Probe Response (GL-AR750S-5G) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] CH: 36, PRIVACY
13:06:56.297331 3376707153us tsft 6.0 Mb/s 5180 MHz 11a -63dBm signal -63dBm signal antenna 0 -73dBm signal antenna 2 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit]
13:06:56.298268 6.0 Mb/s [bit 15] BSSID:e6:95:6e:4b:3f:15 DA:80:7a:bf:6d:a0:37 SA:e6:95:6e:4b:3f:15 Probe Response (GL-AR750S-5G) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] CH: 36, PRIVACY
^C889 packets captured
901 packets received by filter
0 packets dropped by kernel
real    1m 6.30s
user    0m 0.10s
sys     0m 0.04s

[ 2018/12/3更新 ] 除了 Probe 封包之外，發現還有另一種側聽到的封包，如下所示:

root@GL-AR750S:~# tcpdump -ne -y ieee802_11_radio -i wlan0-1 | grep c4:85:08:9e:41:ca
tcpdump: data link type ieee802_11_radio
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0-1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
14:40:53.860924 3791715165us tsft 6.0 Mb/s 5200 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 DA:01:00:5e:7f:ff:fa BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c3f3 Pad 20 KeyID 1
14:40:54.679489 3792534340us tsft 6.0 Mb/s 5200 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 DA:01:00:5e:7f:ff:fa BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c3fc Pad 20 KeyID 1
14:40:55.703192 3793558340us tsft 6.0 Mb/s 5200 MHz 11a -66dBm signal -66dBm signal antenna 0 -73dBm signal antenna 2 DA:01:00:5e:7f:ff:fa BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c407 Pad 20 KeyID 1
14:40:56.727270 3794582389us tsft 6.0 Mb/s 5200 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 DA:01:00:5e:7f:ff:fa BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c412 Pad 20 KeyID 1
14:41:13.725938 3811580818us tsft 6.0 Mb/s 5200 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 DA:ff:ff:ff:ff:ff:ff BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c4bf Pad 20 KeyID 1
14:41:44.036897 3841891583us tsft 6.0 Mb/s 5200 MHz 11a -66dBm signal -66dBm signal antenna 0 -73dBm signal antenna 2 DA:ff:ff:ff:ff:ff:ff BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c5ea Pad 20 KeyID 1

其中，目標裝置的 MAC 位址為: c4:85:08:9e:41:ca，發送端的 MAC 位址為 e6:95:6e:45:a0:d9，為 5GHz (802.11ac) 的網卡，同時，所使用的頻帶為 5200 MHz (5.2 GHz) 也符合 802.11ac 的設定，應該可以確定這個封包的確是 802.11ac 的封包。以下是網卡的資訊 (刪去 monitor 網卡的的資訊)。

root@GL-AR750S:~# iwinfo
wlan0     ESSID: "WiSDON-5G-824"
          Access Point: E6:95:6E:45:A0:D9
          Mode: Master  Channel: 40 (5.200 GHz)
          Tx-Power: 20 dBm  Link Quality: unknown/70
          Signal: unknown  Noise: -96 dBm
          Bit Rate: unknown
          Encryption: mixed WPA/WPA2 PSK (CCMP)
          Type: nl80211  HW Mode(s): 802.11nac
          Hardware: 168C:0050 0000:0000 [Generic MAC80211]
          TX power offset: unknown
          Frequency offset: unknown
          Supports VAPs: yes  PHY name: phy0

wlan1     ESSID: "WiSDON-2.4G-824"
          Access Point: E6:95:6E:45:A0:D8
          Mode: Master  Channel: 6 (2.437 GHz)
          Tx-Power: 20 dBm  Link Quality: unknown/70
          Signal: unknown  Noise: -85 dBm
          Bit Rate: unknown
          Encryption: mixed WPA/WPA2 PSK (CCMP)
          Type: nl80211  HW Mode(s): 802.11bgn
          Hardware: unknown [Generic MAC80211]
          TX power offset: unknown
          Frequency offset: unknown
          Supports VAPs: yes  PHY name: phy1

接著我們來檢查此封包的格式，發現都是 DA: ~ BSSID: ~ SA: ~ 的格式，此時， To DS = 0，From DS = 1，換句話說，此封包來自 WLAN 網路之外，可能是一個被誤傳的封包，雖然接收端沒有接收能力，但也被 5GHz 的網卡監聽到。同時，我們也可以看到，此時的監聽到的封包中，不包含 ACK 的封包也不含從裝置端傳出的上行封包，因此，應該是誤送的封包被監聽到的結果。