# [pfSense] Capturing 802.11 frames



## asdfg (Mar 28, 2013)

I'm aware of the rules on 'derivative FreeBSDs' and have tried to get an answer on the pfSense forum here: http://forum.pfsense.org/index.php/topic,60491.0.html. I don't feel like bumping there will be useful as there have been plenty of views, so I'm trying here. Hopefully this is the right subforum.

My version of pfSense is built on FreeBSD 8.1. For the rest I'll just copy the post from the link.

------------


I am attempting to capture 802.11 frames on a small box running Pfsense (No, there's no possibility of using a full size OS). Note that I have some experience with linux, but none with FreeBSD/Pfsense.

I have tried to do the capturing with the following script. The reboot command at the end is needed since I have to SSH to the box using the same Wifi module. (which is in AP mode)

```
#!/bin/sh

ifconfig ath0_wlan0
ifconfig ath0_wlan0 monitor
ifconfig ath0_wlan0 #compare status

/usr/sbin/tcpdump -n -e -tttt -vvv -U -i ath0_wlan0 -s 0 -w ath0wlan0.dump &
sleep 20s && pkill -HUP -f /usr/sbin/tcpdump

ifconfig ath0_wlan0 -monitor
ifconfig ath0_wlan0 #compare status

sleep 10

reboot
```

The output was:

```
ath0_wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 90:a4:de:c7:55:57
        inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
        status: running
        ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
        regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
        scanvalid 60 burst -apbridge dtimperiod 1 -dfs
ath0_wlan0: flags=48943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,MONITOR> metric 0 mtu 1500
        ether 90:a4:de:c7:55:57
        inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
        status: running
        ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
        regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
        scanvalid 60 burst -apbridge dtimperiod 1 -dfs
tcpdump: WARNING: ath0_wlan0: no IPv4 address assigned
tcpdump: listening on ath0_wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
57 packets captured
57 packets received by filter
0 packets dropped by kernel
ath0_wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 90:a4:de:c7:55:57
        inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
        status: running
        ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
        regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
        scanvalid 60 burst -apbridge dtimperiod 1 -dfs
```

So it seems to work, however, the dump file contains only SSH/HTTP/TCP packets and the like. I'm clearly missing something for Pfsense to be able to do this, but I can't google my way out of it. 

I found http://sandilands.info/sgordon/capturing-wireless-lan-with-ubuntu-tcpdump-kismet which uses the same approach, except that they disable the WNIC before putting it in monitor mode. I tried this but to no avail. However, they mention something about special wireless drivers to enable the WNIC to support monitoring.. Do I need to install, for example, the madwifi drivers?


PS

The output of [cmd=]ifconfig[/cmd] and [cmd=]pciconf -lv[/cmd] show that ath0_wlan0 is cloned from ath0, don't know whether it is of any importance:

```
$ ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
	ether 90:a4:de:c7:55:57
	media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
	status: running[/INDENT]

$ pciconf -lv
ath0@pci0:0:12:0:	class=0x020000 card=0x1012185f chip=0x0013168c rev=0x01 hdr=0x00
    class      = network
    subclass   = ethernet
```

And the specifications of the WNIC
http://www.msdist.co.uk/product_CM9-GP_Atheros_80211a-b-g_miniPCI_wireless_card.php


----------



## SirDice (Mar 28, 2013)

asdfg said:
			
		

> My version of pfSense is built on FreeBSD 8.1.


And unfortunately FreeBSD 8.1 has been end-of-life since July 2012 and is thus unsupported.

http://www.freebsd.org/security/#unsup


----------



## asdfg (Mar 28, 2013)

SirDice said:
			
		

> And unfortunately FreeBSD 8.1 has been end-of-life since July 2012 and is thus unsupported.
> 
> http://www.freebsd.org/security/#unsup



If you're saying this because of:


> Following advice given here (which may not be applicable to your system) may render your system unusable, or altered in a way that causes serious problems



I understand, but at this point I don't really care if it will break or not. I'll try anything. (except a hammer)


----------



## SirDice (Mar 28, 2013)

No, if I wanted to say that I would have pointed you to this thread: [thread=7290]PC-BSD, DesktopBSD, FreeNAS, NAS4Free, m0N0WALL, pfSense, ArchBSD, kFreeBSD topics[/thread]


----------



## mix_room (Mar 28, 2013)

On my pfSense installation there is a menu entry called 'Packet Capture'. Have you tried using that?
Edit: you might also try a newer version of pfSense.


----------



## asdfg (Mar 28, 2013)

I did try that, but as was to be expected it only captures in Promiscuous mode. This means that only data frames from the current network BSSID are captured (just as with promiscuous mode on wired Ethernet), unlike Monitor mode which in addition captures 802.11 specific management frames (beacons, probes, auth, assoc) and control frames (ack, cts/rts) for any BSSID.

The pfSense version on the box is 2.0.1, and judging by the release notes of 2.0.2 it doesn't appear to have fixed/added anything related to wireless drivers.


----------



## mix_room (Mar 29, 2013)

asdfg said:
			
		

> The pfSense version on the box is 2.0.1, and judging by the release notes of 2.0.2 it doesn't appear to have fixed/added anything related to wireless drivers.



You might give the 2.1-beta a try.


----------



## asdfg (Apr 1, 2013)

I made a backup of pfSense's config, then upgraded by setting "Default Auto Update URLs" in System->Firmware to _pfSense i386 2.1 DEVELOPMENT snapshots_.

```
2.1-BETA1 (i386)
built on Sun Mar 31 14:52:32 EDT 2013
FreeBSD 8.3-RELEASE-p6

You are on the latest version.
```

Again executed the same script

```
#!/bin/sh

ifconfig ath0_wlan0
ifconfig ath0_wlan0 monitor
ifconfig ath0_wlan0 #compare status

/usr/sbin/tcpdump -n -e -tttt -vvv -U -i ath0_wlan0 -s 0 -w ath0wlan0.dump &
sleep 20 && pkill -HUP -f /usr/sbin/tcpdump

ifconfig ath0_wlan0 -monitor
ifconfig ath0_wlan0 #compare status

sleep 10
reboot
```

Output:

```
ath0_wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 90:a4:de:c7:55:57
        inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
        nd6 options=1<PERFORMNUD>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
        status: running
        ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
        regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
        scanvalid 60 burst -apbridge dtimperiod 1 -dfs
ath0_wlan0: flags=48943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,MONITOR> metric 0 mtu 1500
        ether 90:a4:de:c7:55:57
        inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
        nd6 options=1<PERFORMNUD>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
        status: running
        ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
        regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
        scanvalid 60 burst -apbridge dtimperiod 1 -dfs

tcpdump: WARNING: ath0_wlan0: no IPv4 address assigned
tcpdump: listening on ath0_wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
53 packets captured
54 packets received by filter
0 packets dropped by kernel

ath0_wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 90:a4:de:c7:55:57
        inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
        nd6 options=1<PERFORMNUD>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
        status: running
        ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
        regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
        scanvalid 60 burst -apbridge dtimperiod 1 -dfs
```

The ath0wlan0.dump opened in Wireshark:







Unfortunately 2.1 doesn't seem to fix my problem. I suppose I need to install a more capable wireless driver, Madwifi/ath5k for example, but those seem to be geared towards Linux and not FreeBSD :-\


----------



## johnblue (Apr 1, 2013)

Generally speaking it has always been my impression that you can only have one or the other, but not both.  Either you are associated with an SSID and can see your traffic or you are in monitor mode and you get to see everything.

It is clear from the output that you are successful in getting ath0_wlan0 into a MONITOR state.  However, I am curious as to why PROMISC mode is being set before and along with MONITOR afterwards.  I would only expect to see:


```
<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST>
```
 before.

Perhaps MONITOR is being superseded by PROMISC .. <shrug>


----------



## asdfg (Apr 2, 2013)

That makes sense. I remember I already tried to remove the PROMISC flag with -promisc, but it didn't work. No error message whatsoever. 


```
ifconfig ath0_wlan0
ath0_wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
ifconfig ath0_wlan0 -promisc
ifconfig ath0_wlan0
ath0_wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
```

So I figure I should not let it launch with PROMISC at all. [cmd=]dmesg -a[/cmd] outputs:

```
vr0: promiscuous mode enabled
ath0_wlan0: promiscuous mode enabled
vr2: promiscuous mode enabled
```

By modifying /etc/inc/interfaces.inc with additional echo commands I established that these lines are printed when all members of the bridge are started here:


```
/* Add interfaces to bridge */
	foreach ($members as $member) {
		if (empty($checklist[$member]))
			continue;
		$realif = get_real_interface($member);
		if (!$realif) {
			log_error(gettext("realif not defined in interfaces bridge - up"));
			continue;
		}
		/* make sure the parent interface is up */
		pfSense_interface_mtu($realif, $smallermtu);
		pfSense_interface_capabilities($realif, -$flags);
		interfaces_bring_up($realif);
		pfSense_bridge_add_member($bridge['bridgeif'], $realif);
	}
```

interfaces_bring_up() calls pfSense_interface_flags($interface, IFF_UP) of which I can't find the source. I think I'm looking in the wrong direction though.


----------



## asdfg (Apr 11, 2013)

Solved! http://forum.pfsense.org/index.php/topic,60995.0.html


----------



## johnblue (Apr 15, 2013)

asdfg said:
			
		

> Solved! http://forum.pfsense.org/index.php/topic,60995.0.html


Awesome feedback.  At least it was for science!


----------

