Re: AP and sniffer together


From: Jouni Malinen (jkmaline_at_cc.hut.fi)
Date: 2002-04-05 05:36:43 UTC



On Tue, Mar 19, 2002 at 02:36:40PM +0800, LH wrote:

> I find that there are 2 sniff programs provided by the HostAP package. But
> is it possible to run AP and sniffer simultaneously in one machine using
> only one wireless LAN card??

With current driver version that is not possible, but it may be doable, depending on which frames you want to capture.

> What I want to get is the raw 802.11 frame received by the AP while the AP
> is still working.

If it is enough to get most frames with 802.11 headers to user space, then it should be possible to set the card in promiscuous mode, but _not_ in monitor mode, and then pass the frames to user space. It would be possible to, e.g., create a new netdevice and set it use ARPHRD_IEEE80211. Then the driver could send send all frames to this new device with 802.11 header and additionally handle rest of the frames like in Host AP mode (i.e., handle management frames in the driver and pass non-bridged data frames to this AP to wlan0 without 802.11 headers). Let me know, if there would be use for this and I'll add it to my todo list.

On Thu, Apr 04, 2002 at 10:51:28PM -0800, Pedro Estrela wrote:

> from what i've seen, the sniffing happens because the chipset is put in a
> very special test state, trough a CMDCODE_TEST to the command register.
> In this mode, the chipset will only receive packets and stop transmiting;
> this means that pings and the AP function are stopped.

The driver sets the card to monitor mode, but this does no stop (all) TX. However, currently the driver also changes the mode automatically to pseudo IBSS to prevent beacon frames from being sent (usually sniffing device is wanted to be passive). The driver can still send frames and if the port is left in Host AP mode, firmware will continue sending beacon frames in monitor mode. However, monitor mode is certainly not meant for "normal use". Some of the essentinal operations are disabled. For example, firmware does not acknowledge received packets anymore.

On Thu, Apr 04, 2002 at 04:09:28PM -0600, Jim Thompson wrote:

> Er, can't you just run one of the 'ports' in AP mode and another in
> 'monitor' mode?

Apparently not, at least not with only station firmware. Monitor mode setting is "global" for the card. Whenever it is used, all received frames seem to come from macport 7 (reserved for monitor mode). I have never been able to use more than one macport at a time. Documentation on this is a bit unclear (i.e., whether station firmware supports one or two ports at a time). I haven't tested this with AP firmware (which should support more ports than station firmware; mainly for WDS, which is apparently broken anyway).

-- 
Jouni Malinen                                            PGP id EFC895FA


This archive was generated by hypermail 2.1.4.