# 實驗: 虛擬監聽網卡並取得 RSSI 為了能夠監聽空氣中 WiFi 的無線封包,我們需要完成以下兩件事情: 1. 虛擬一張 monitor 模式的無線網卡 2. 安裝 tcpdump 來取得封包資訊 ## 虛擬一張 monitor 模式的無線網卡 在 OpenWRT 中,網卡的設定在 `/etc/config/wireless`在這份文件中,如下所示。 ``` config wifi-device 'radio0' option type 'mac80211' option path 'platform/qca953x_wmac' option htmode 'HT20' option hwmode '11ng' option txpower '20' option channel '1' config wifi-iface option device 'radio0' option network 'lan' option mode 'ap' option ssid 'GL-AR300M-26b' option encryption 'psk-mixed' option key 'goodlife' option wds '1' option ifname 'wlan0' config wifi-iface 'sta' option device 'radio0' option ifname 'wlan-sta' option network 'wwan' option mode 'sta' option ssid 'MBWCL711' option key '140.113.144.123' option encryption 'psk2' config wifi-iface option device 'radio0' option mode 'monitor' ``` 在該文件中,首先會先定義網卡裝置 (wifi-device) 開始,在這裡,我們可以看到一些常用的無線網路設定如: 使用頻帶 (channel)、傳送功率 (txpower)、傳送協定 (hwmode) 等。 一張網卡裝置可以被定義為多種介面,舉例來說,這張無線網卡就已經設定為兩種不同的模式: AP 和 STA。 這是因為我們把該裝置 (作為STA) 連上實驗室的無線網路,取得網路連線,並利用其無線網路作為 WiFi AP連到Internet的網路。此時,網路運作就像是一個擴展器一樣。 為了能夠偷聽 WiFi 封包,我們額外虛擬了一張網卡,作為監聽模式 (monitor)。根據測試,若是要使用 tcpdump 的指令監聽封包,該網卡必須運作在 monitor 模式,STA 或是 AP 模式都不支援。 透過 iwinfo (對應於舊版的 iwconfig),我們可以看到這些虛擬網卡在Linux系統下的狀態,主要是要查詢無線網卡在系統中的名稱。透過查詢,我們可以看到一共有三個不同的裝置: wlan-sta、wlan0、 wln0-1,對應於 STA 模式、AP 模式和 monitor 模式。 ![iwinfo (用以顯示目前無線網卡設定)](/files/-LNn0HjV5Z0tAD93Tqi7) 在更改完設定後,我們可以透過輸入指令`wifi`來重新設定無線網路 {% hint style="info" %} WiFi 除了 AP 與 user (STA) 模式之外,還有其他幾個較不常見的模式。而這些模式的支援與否通常取決於Wi-Fi網卡與其驅動程式,以下為一些簡單說明: * Master mode (AP): 提供無線接取的模式 * Managed mode (station, user): 連結到AP的裝置 * Monitor mode: 接收所有封包,但不傳送任何封包 * Ad-Hoc、Secondary、Repeater… {% endhint %} ## tcpdump 安裝 tcpdump 是一套類似於 Wireshark 的軟體,可以用以抓取封包,並記錄下封包資訊。在 chaos calmer 以及之後的版本中,tcpdump 可以直接透過 opkg 安裝。 ``` opkg update opkg install tcpdump ``` 考慮到之前的網卡設定,我們就可以透過 tcpdump 來監聽空氣中傳輸的封包,指令如下: ``` $ tcpdump -ne -y ieee802_11_radio -i wlan0-1 ``` 此指令會抓取所有聽到的封包,結果顯示於下圖。 ![tcpdump](/files/-LNn3z8qHn9D7Vx_bKyi) 若我們需要抓取某一個特殊裝置的封包,可以藉由grep指令來找到相對應的MAC位址的裝置。除了顯示監聽到的封包於螢幕上,我們也可以透過指令把看到的封包資訊存下來,指令如下: ``` $ tcpdump -ne -y ieee802_11_radio -i wlan0-1 –w capture_dump ``` 其中,capture\_dump 為檔案名稱,其格式為 TSFS 和 Wireshark 一致,因此存下來的檔案也可以用 Wireshark 打開進行進一步的分析。 ![Wireshark讀取結果](/files/-LNn5JxYNq7KpR57pjxB) {% hint style="info" %} Wireshark 是一個免費開源的網路封包分析軟體,可以用來監聽有線 (Ethernet)、無線 (WiFi、bluetooth) 等封包。Wireshark 會按時間列出所收到的封包,並且提供過濾封包的功能。可以在此下載: {% endhint %} 我們也提供一個在之前實驗時 tcpdump 下來的檔案,可以先用 Wireshark 打開來看看監聽到的封包格式。\ 在此下載: {% file src="/files/-LNn7hIzod0QUF6-ZmHe" %} tcpdump紀錄檔案 {% endfile %} ## tcpdump 的封包類型 觀察一下所擷取的封包,可以分成3類,第一種是 RTS、CTS 等控制訊號封包,所含有的資訊包括 RSSI、傳送速率、使用頻帶、MAC位址等,如下所示: ``` 18:00:21.406991 10748606476us tsft 24.0 Mb/s 2412 MHz 11g -69dB signal [bit 29] 11:63 TA:00:22:2d:80:1f:30 Request-To-Send 18:00:21.406991 10748606476us tsft 24.0 Mb/s 2412 MHz 11g -69dB signal [bit 29] RA:00:22:2d:80:1f:30 Clear-To-Send 18:00:21.407000 10748606615us tsft 24.0 Mb/s 2412 MHz 11g -69dB signal [bit 29] RA:00:22:2d:80:1f:30 BA 18:00:21.407010 10748606807us tsft 12.0 Mb/s 2412 MHz 11g -76dB signal [bit 29] RA:e4:95:6e:44:82:6b Acknowledgment ``` 第二種是一般資料的封包,在此類封包中,可以看到 RSSI、MCS mode、使用頻帶、傳輸頻寬、MAC位址等,至於 antenna 0 則是對應至真實傳送的天線編號。 ``` 18:00:21.349734 10748546713us tsft 2412 MHz 11g antenna 0 26.0 Mb/s MCS 3 20 MHz lon GI RX-STBC0 [bit 20] CF +QoS BSSID:00:22:2d:80:1f:30 SA:94:e9:79:d0:11:63 DA:00:22:2d:80:1f:30 Data IV:efd7 Pad 20 KeyID 0 18:00:21.349769 10748549498us tsft 2412 MHz 11g -70dB signal 26.0 Mb/s MCS 3 20 MHz lon GI RX-STBC0 [bit 20] CF +QoS BSSID:00:22:2d:80:1f:30 SA:94:e9:79:d0:11:63 DA:00:22:2d:80:1f:30 Data IV:efd8 Pad 20 KeyID 0 ``` 最後一種是 AP 所發出的 Beacon 封包,可以看到此 AP 的無線網路設定,包括使用的 SSID、傳送協定、支援的傳輸速率以及加密的方式。 ``` 18:00:21.460528 10748657838us tsft 1.0 Mb/s 2412 MHz 11b -76dB signal [bit 29] BSSID:00:22:2d:80:1f:30 DA:ff:ff:ff:ff:ff:ff SA:00:22:2d:80:1f:30 Beacon (MBWCL711) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] ESS CH: 1, PRIVACY ``` ## 監聽封包的驗證 在後續的實驗中,我們發現有些時候當裝置使用 2.4GHz 傳輸時,5GHz 的網卡也會收到封包的 RSSI 數值,這樣的結果和我們的經驗不符合,因為 2.4GHz 和 5GHz 的頻率不同,理論上不同的網卡應該無法聽到對應頻率之外的封包。為了驗證這個現象,我們建立一個測試環境,將裝置和 WiFi AP 在 5GHz 上連線,並同時在 WiFi AP 上的 5GHz 和 2.4GHz 網卡上進行封包監聽,以下為 5GHz 網卡監聽約 1 分鐘後的結果 (只擷取最後的部分): ``` 12:58:06.267229 2846682110us tsft 5180 MHz 11a -78dBm signal User 0 MCS 3 BCC FEC 80 MHz short GI -78dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype IPv4 (0x0800), length 135: 192.168.9.137.39329 > 47.97.127.178.443: Flags [P.], seq 1163:1258, ack 9240, win 443, length 95 12:58:06.267461 2846682279us tsft 24.0 Mb/s 5180 MHz 11a -71dBm signal -71dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15 12:58:06.394818 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0 12:58:06.395007 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0 12:58:06.396551 2846811179us tsft 24.0 Mb/s 5180 MHz 11a -72dBm signal -72dBm signal antenna 0 -73dBm signal antenna 2 RA:e6:95:6e:4b:3f:15 TA:80:7a:bf:6d:a0:37 Request-To-Send 12:58:06.396600 2846811289us tsft 5180 MHz 11a -72dBm signal User 0 MCS 3 BCC FEC 80 MHz short GI -72dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype IPv4 (0x0800), length 40: 192.168.9.137.39329 > 47.97.127.178.443: Flags [.], ack 10550, win 454, length 0 12:58:06.396835 2846811605us tsft 24.0 Mb/s 5180 MHz 11a -73dBm signal -73dBm signal antenna 0 -73dBm signal antenna 2 RA:e6:95:6e:4b:3f:15 TA:80:7a:bf:6d:a0:37 Request-To-Send 12:58:06.396871 2846811716us tsft 5180 MHz 11a -72dBm signal User 0 MCS 3 BCC FEC 80 MHz short GI -72dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype IPv4 (0x0800), length 40: 192.168.9.137.39329 > 47.97.127.178.443: Flags [.], ack 11015, win 465, length 0 12:58:06.603952 2847018805us tsft 24.0 Mb/s 5180 MHz 11a -70dBm signal -70dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15 12:58:06.760307 2847175179us tsft 24.0 Mb/s 5180 MHz 11a -69dBm signal -69dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15 12:58:06.692555 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0 12:58:06.966700 2847381563us tsft 24.0 Mb/s 5180 MHz 11a -71dBm signal -71dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15 12:58:09.219358 2849634177us tsft 24.0 Mb/s 5180 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15 12:58:09.079020 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0 12:58:09.221624 2849636465us tsft 24.0 Mb/s 5180 MHz 11a -70dBm signal -70dBm signal antenna 0 -73dBm signal antenna 2 RA:e6:95:6e:4b:3f:15 TA:80:7a:bf:6d:a0:37 Request-To-Send 12:58:09.221742 2849636574us tsft 5180 MHz 11a -70dBm signal User 0 MCS 3 BCC FEC 80 MHz short GI -70dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype IPv4 (0x0800), length 52: 192.168.9.137.33787 > 104.80.224.79.443: Flags [.], ack 2, win 343, options [nop,nop,TS val 229832258 ecr 3221129800], length 0 12:58:09.425759 2849840584us tsft 24.0 Mb/s 5180 MHz 11a -68dBm signal -68dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15 12:58:11.472151 2851886955us tsft 24.0 Mb/s 5180 MHz 11a -64dBm signal -64dBm signal antenna 0 -73dBm signal antenna 2 CF +QoS BSSID:e6:95:6e:4b:3f:15 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:15 12:58:11.472419 6.0 Mb/s [bit 15] DA:80:7a:bf:6d:a0:37 BSSID:e6:95:6e:4b:3f:15 SA:e4:95:6e:4b:3f:14 Data IV:3aaaa Pad 0 KeyID 0 12:58:11.472559 2851887379us tsft 24.0 Mb/s 5180 MHz 11a -72dBm signal -72dBm signal antenna 0 -73dBm signal antenna 2 RA:e6:95:6e:4b:3f:15 TA:80:7a:bf:6d:a0:37 Request-To-Send ^C5239 packets captured 5244 packets received by filter 0 packets dropped by kernel real 0m 49.66s user 0m 0.38s sys 0m 0.13s ``` 以下為不應該聽到封包的 2.4GHz 網卡的結果: ``` root@GL-AR750S:~# time tcpdump -ne -y ieee802_11_radio -i wlan1-1 | grep "80:7a:bf:6d:a0:37" tcpdump: data link type ieee802_11_radio tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlan1-1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes 12:57:58.926931 170343951982us tsft 1.0 Mb/s 2412 MHz 11b -72dBm signal -71dBm signal antenna 0 -73dBm signal antenna 1 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [1.0 2.0 5.5 11.0 Mbit] 12:57:58.929231 170343953162us tsft 1.0 Mb/s 2412 MHz 11b -29dBm signal -29dBm signal antenna 0 -46dBm signal antenna 1 BSSID:00:22:2d:80:1f:30 DA:80:7a:bf:6d:a0:37 SA:00:22:2d:80:1f:30 Probe Response (MBWCL711) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] CH: 1, PRIVACY 12:57:58.948179 170343973244us tsft 1.0 Mb/s 2412 MHz 11b -68dBm signal -70dBm signal antenna 0 -75dBm signal antenna 1 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [1.0 2.0 5.5 11.0 Mbit] 12:57:58.958762 170343982714us tsft 1.0 Mb/s 2412 MHz 11b -34dBm signal -36dBm signal antenna 0 -40dBm signal antenna 1 BSSID:00:22:2d:80:1f:30 DA:80:7a:bf:6d:a0:37 SA:00:22:2d:80:1f:30 Probe Response (MBWCL711) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] CH: 1, PRIVACY 12:57:58.964932 170343987738us tsft 1.0 Mb/s 2412 MHz 11b -59dBm signal -60dBm signal antenna 0 -66dBm signal antenna 1 BSSID:ac:22:0b:31:3b:48 DA:80:7a:bf:6d:a0:37 SA:ac:22:0b:31:3b:48 Probe Response (Research_AP3) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] CH: 1, PRIVACY 12:57:58.967503 170343991440us tsft 1.0 Mb/s 2412 MHz 11b -39dBm signal -43dBm signal antenna 0 -41dBm signal antenna 1 BSSID:00:22:2d:80:1f:30 DA:80:7a:bf:6d:a0:37 SA:00:22:2d:80:1f:30 Probe Response (MBWCL711) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] CH: 1, PRIVACY 12:57:58.977716 170344001573us tsft 1.0 Mb/s 2412 MHz 11b -74dBm signal -75dBm signal antenna 0 -81dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY 12:57:58.980366 170344004247us tsft 1.0 Mb/s 2412 MHz 11b -75dBm signal -76dBm signal antenna 0 -80dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY 12:57:58.982985 170344006866us tsft 1.0 Mb/s 2412 MHz 11b -76dBm signal -77dBm signal antenna 0 -81dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY 12:57:58.985580 170344009459us tsft 1.0 Mb/s 2412 MHz 11b -76dBm signal -77dBm signal antenna 0 -80dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY 12:57:58.988407 170344012271us tsft 1.0 Mb/s 2412 MHz 11b -75dBm signal -77dBm signal antenna 0 -79dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY 12:57:58.991497 170344015376us tsft 1.0 Mb/s 2412 MHz 11b -77dBm signal -78dBm signal antenna 0 -82dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY 12:57:59.000064 170344023930us tsft 1.0 Mb/s 2412 MHz 11b -77dBm signal -80dBm signal antenna 0 -80dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY 12:57:59.002687 170344026566us tsft 1.0 Mb/s 2412 MHz 11b -75dBm signal -76dBm signal antenna 0 -83dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY 12:57:59.005690 170344029570us tsft 1.0 Mb/s 2412 MHz 11b -74dBm signal -75dBm signal antenna 0 -82dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY 12:57:59.017925 170344041796us tsft 1.0 Mb/s 2412 MHz 11b -75dBm signal -76dBm signal antenna 0 -80dBm signal antenna 1 BSSID:e8:8d:28:5b:da:17 DA:80:7a:bf:6d:a0:37 SA:e8:8d:28:5b:da:17 Probe Response (Software710) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1, PRIVACY ^C40740 packets captured 40764 packets received by filter 0 packets dropped by kernel real 0m 50.49s user 0m 2.89s sys 0m 0.79s ``` 我們可以看到此時網卡收到的封包都是 Probe Response 以及 Probe Request 兩種封包格式,相同的結果也會發生在我們使用 2.4GHz 上連線 (如以下擷取的內容),並在 5GHz 上監聽的結果。 ``` 13:06:56.917849 170881943093us tsft 11.0 Mb/s 2412 MHz 11b -58dBm signal -60dBm signal antenna 0 -61dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:14 13:06:56.945032 170881970363us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -60dBm signal antenna 0 -60dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send 13:06:56.947912 170881973378us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -60dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send 13:06:56.948732 170881974059us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -60dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send 13:06:56.948770 170881974253us tsft 2412 MHz 11n -69dBm signal 81.0 Mb/s MCS 4 40 MHz long GI RX-STBC0 -69dBm signal antenna 0 -71dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:147 Pad 20 KeyID 0 13:06:57.013132 170882038478us tsft short preamble 11.0 Mb/s 2412 MHz 11b -55dBm signal -60dBm signal antenna 0 -57dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send 13:06:57.016375 170882041627us tsft short preamble 11.0 Mb/s 2412 MHz 11b -56dBm signal -60dBm signal antenna 0 -58dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send 13:06:57.016960 170882042297us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -59dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send 13:06:57.016986 170882042420us tsft 2412 MHz 11n antenna 0 90.0 Mb/s MCS 4 40 MHz short GI RX-STBC0 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:148 Pad 20 KeyID 0 13:06:57.017161 170882042502us tsft 2412 MHz 11n -67dBm signal 81.0 Mb/s MCS 4 40 MHz long GI RX-STBC0 -69dBm signal antenna 0 -68dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:149 Pad 20 KeyID 0 13:06:57.017613 170882042872us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -59dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send 13:06:57.018169 170882043511us tsft short preamble 11.0 Mb/s 2412 MHz 11b -57dBm signal -61dBm signal antenna 0 -59dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send 13:06:57.018820 170882044149us tsft short preamble 11.0 Mb/s 2412 MHz 11b -56dBm signal -60dBm signal antenna 0 -59dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send 13:06:57.018848 170882044346us tsft 2412 MHz 11n -68dBm signal 81.0 Mb/s MCS 4 40 MHz long GI RX-STBC0 -70dBm signal antenna 0 -69dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:14a Pad 20 KeyID 0 13:06:57.231276 170882256516us tsft 11.0 Mb/s 2412 MHz 11b -58dBm signal -68dBm signal antenna 0 -58dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:14 13:07:02.248873 170887274115us tsft 11.0 Mb/s 2412 MHz 11b -53dBm signal -55dBm signal antenna 0 -57dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:14 13:07:02.252793 170887278111us tsft short preamble 11.0 Mb/s 2412 MHz 11b -51dBm signal -53dBm signal antenna 0 -55dBm signal antenna 1 RA:e6:95:6e:4b:3f:14 TA:80:7a:bf:6d:a0:37 Request-To-Send 13:07:02.252831 170887278303us tsft 2412 MHz 11n -62dBm signal 150.0 Mb/s MCS 7 40 MHz short GI RX-STBC0 -63dBm signal antenna 0 -66dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e4:95:6e:4b:3f:14 Data IV:14b Pad 20 KeyID 0 13:07:02.454191 170887479414us tsft 11.0 Mb/s 2412 MHz 11b -50dBm signal -53dBm signal antenna 0 -54dBm signal antenna 1 CF +QoS BSSID:e6:95:6e:4b:3f:14 SA:80:7a:bf:6d:a0:37 DA:e6:95:6e:4b:3f:14 ^C35683 packets captured 35757 packets received by filter 0 packets dropped by kernel real 1m 12.36s user 0m 2.53s sys 0m 0.58s ``` 以下為在 5GHz 網卡上收到的封包數值,也是 Probe Response 以及 Probe Request 兩種封包格式。 ``` root@GL-AR750S:~# time tcpdump -ne -y ieee802_11_radio -i wlan0-1 | grep "80:7a:bf:6d:a0:37" tcpdump: data link type ieee802_11_radio tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlan0-1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes 13:06:06.202680 3326612368us tsft 6.0 Mb/s 5180 MHz 11a -62dBm signal -62dBm signal antenna 0 -73dBm signal antenna 2 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit] 13:06:06.203618 6.0 Mb/s [bit 15] BSSID:e6:95:6e:4b:3f:15 DA:80:7a:bf:6d:a0:37 SA:e6:95:6e:4b:3f:15 Probe Response (GL-AR750S-5G) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] CH: 36, PRIVACY 13:06:06.222227 3326631936us tsft 6.0 Mb/s 5180 MHz 11a -60dBm signal -60dBm signal antenna 0 -73dBm signal antenna 2 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit] 13:06:06.223162 6.0 Mb/s [bit 15] BSSID:e6:95:6e:4b:3f:15 DA:80:7a:bf:6d:a0:37 SA:e6:95:6e:4b:3f:15 Probe Response (GL-AR750S-5G) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] CH: 36, PRIVACY 13:06:56.277819 3376687217us tsft 6.0 Mb/s 5180 MHz 11a -62dBm signal -62dBm signal antenna 0 -73dBm signal antenna 2 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit] 13:06:56.278265 6.0 Mb/s [bit 15] BSSID:e6:95:6e:4b:3f:15 DA:80:7a:bf:6d:a0:37 SA:e6:95:6e:4b:3f:15 Probe Response (GL-AR750S-5G) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] CH: 36, PRIVACY 13:06:56.297331 3376707153us tsft 6.0 Mb/s 5180 MHz 11a -63dBm signal -63dBm signal antenna 0 -73dBm signal antenna 2 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:80:7a:bf:6d:a0:37 Probe Request () [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit] 13:06:56.298268 6.0 Mb/s [bit 15] BSSID:e6:95:6e:4b:3f:15 DA:80:7a:bf:6d:a0:37 SA:e6:95:6e:4b:3f:15 Probe Response (GL-AR750S-5G) [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit] CH: 36, PRIVACY ^C889 packets captured 901 packets received by filter 0 packets dropped by kernel real 1m 6.30s user 0m 0.10s sys 0m 0.04s ``` \[ 2018/12/3更新 ] 除了 Probe 封包之外,發現還有另一種側聽到的封包,如下所示: ``` root@GL-AR750S:~# tcpdump -ne -y ieee802_11_radio -i wlan0-1 | grep c4:85:08:9e:41:ca tcpdump: data link type ieee802_11_radio tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlan0-1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes 14:40:53.860924 3791715165us tsft 6.0 Mb/s 5200 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 DA:01:00:5e:7f:ff:fa BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c3f3 Pad 20 KeyID 1 14:40:54.679489 3792534340us tsft 6.0 Mb/s 5200 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 DA:01:00:5e:7f:ff:fa BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c3fc Pad 20 KeyID 1 14:40:55.703192 3793558340us tsft 6.0 Mb/s 5200 MHz 11a -66dBm signal -66dBm signal antenna 0 -73dBm signal antenna 2 DA:01:00:5e:7f:ff:fa BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c407 Pad 20 KeyID 1 14:40:56.727270 3794582389us tsft 6.0 Mb/s 5200 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 DA:01:00:5e:7f:ff:fa BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c412 Pad 20 KeyID 1 14:41:13.725938 3811580818us tsft 6.0 Mb/s 5200 MHz 11a -65dBm signal -65dBm signal antenna 0 -73dBm signal antenna 2 DA:ff:ff:ff:ff:ff:ff BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c4bf Pad 20 KeyID 1 14:41:44.036897 3841891583us tsft 6.0 Mb/s 5200 MHz 11a -66dBm signal -66dBm signal antenna 0 -73dBm signal antenna 2 DA:ff:ff:ff:ff:ff:ff BSSID:e6:95:6e:45:a0:d9 SA:c4:85:08:9e:41:ca Data IV:c5ea Pad 20 KeyID 1 ``` 其中,目標裝置的 MAC 位址為: c4:85:08:9e:41:ca,發送端的 MAC 位址為 e6:95:6e:45:a0:d9,為 5GHz (802.11ac) 的網卡,同時,所使用的頻帶為 5200 MHz (5.2 GHz) 也符合 802.11ac 的設定,應該可以確定這個封包的確是 802.11ac 的封包。以下是網卡的資訊 (刪去 monitor 網卡的的資訊)。 ``` root@GL-AR750S:~# iwinfo wlan0 ESSID: "WiSDON-5G-824" Access Point: E6:95:6E:45:A0:D9 Mode: Master Channel: 40 (5.200 GHz) Tx-Power: 20 dBm Link Quality: unknown/70 Signal: unknown Noise: -96 dBm Bit Rate: unknown Encryption: mixed WPA/WPA2 PSK (CCMP) Type: nl80211 HW Mode(s): 802.11nac Hardware: 168C:0050 0000:0000 [Generic MAC80211] TX power offset: unknown Frequency offset: unknown Supports VAPs: yes PHY name: phy0 wlan1 ESSID: "WiSDON-2.4G-824" Access Point: E6:95:6E:45:A0:D8 Mode: Master Channel: 6 (2.437 GHz) Tx-Power: 20 dBm Link Quality: unknown/70 Signal: unknown Noise: -85 dBm Bit Rate: unknown Encryption: mixed WPA/WPA2 PSK (CCMP) Type: nl80211 HW Mode(s): 802.11bgn Hardware: unknown [Generic MAC80211] TX power offset: unknown Frequency offset: unknown Supports VAPs: yes PHY name: phy1 ``` 接著我們來檢查此封包的格式,發現都是 DA: \~ BSSID: \~ SA: \~ 的格式,此時, To DS = 0,From DS = 1,換句話說,此封包來自 WLAN 網路之外,可能是一個被誤傳的封包,雖然接收端沒有接收能力,但也被 5GHz 的網卡監聽到。同時,我們也可以看到,此時的監聽到的封包中,不包含 ACK 的封包也不含從裝置端傳出的上行封包,因此,應該是誤送的封包被監聽到的結果。 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://openwrt-nctu.gitbook.io/project/experiment-overhear/exp-collect-rssi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.