I have a raspberry pi, a WLAN stick (Ralink Technology, Corp. RT5370) in monitor mode and tcpdump (+tshark) installed.
Now I want to read link layer packages from a WLAN wristband device that patients in a retirement home use. This device sends link layer data every second in order to be detected by access points using fingerprinting. The content of this packages is not important, only the RSSI values and the MAC of the device is needed.
With my rPi now I wants to detect when a patient is neat to its own flat door in order to open it automatically. For this, the Pi needs to receives this LLC packages so that I can use the associated RSSI value to calculate the distance.
Using Wireshark and Windows (Airpcap) I can read these LLC packages without problems. The output is for example:
35748 152.953461000 00:00:00_00:00:00 57:01:ff:00:00:00 LLC 62 I, N(R)=0, N(S)=0; DSAP NULL LSAP Individual, SSAP 0x1e Command
If I do the same thing on raspbian using tcpdump or tshark, I don't receive data at all.
tcpdump (command is sudo tcpdump llc -i wlan1) returns
tcpdump: 'llc' supported only on raw ATM
Looks like my linux/driver is not able to pass link layer data to tcpdump. How can I enable it?
Thank you for any hint
UPDATE
Thanks to Guy Harris I found a solution
sudo tcpdump -e -i wlan1 type data
returns all LLC packages and the -e value adds all types of mac. Output is something like this where TA is the MAC of the device. I parsed it using python line by line to get the data I needed
02:56:21.346146 11.0 Mb/s 2462 MHz 11b -53dB signal antenna 1 RA:01:40:96:00:00:03 (oui Unknown) TA:00:18:8e:40:62:03 (oui Unknown) DA:00:00:00:00:00:00 (oui Ethernet) SA:00:00:00:00:00:00 (oui Ethernet) LLC, dsap Null (0x00) Individual, ssap OSI (0xfe) Response, ctrl 0x0b: Unnumbered, 0b, Flags [Response], length 24
BR
Stefan
tcpdump: 'llc' supported only on raw ATM
First of all, the filter comes after all the command-line flags, including -i, so, if you're going to be capturing on wlan1 with a filter, what you want is
sudo tcpdump -i wlan1 {filter}
That's how tcpdump works - the filter comes after all the command-line flags and the arguments to those flags, including -i, -r, etc.
Second of all, "llc" means something very specific - from the "pcap-filter" man page (with older versions of libpcap and tcpdump, it's in the tcpdump man page, but the filter expressions aren't understood by tcpdump, they're understood by libpcap, the library tcpdump uses to capture and to read capture files):
llc True if the packet is an ATM packet, for SunATM on Solaris, and
is an LLC-encapsulated packet.
On 802.11, all 802.11 data frames have an 802.2 LLC header, so you want
tcpdump -i wlan1 type data
which will filter out management and control frames (which don't have 802.2 LLC headers).
Related
How are the bus-info addresses from ethtool -i <netdev> to be interpreted in order to address the corresponding HW device in /sys/devices/? That is, using the Linux sysfs API with the information returned by the ethtool ioctl SIOCETHTOOL (or similar) API?
Please note that I'm in a situation where I cannot use /sys/class/net/ due to the way that sysfs filters the net/ branch(es) based on the mounting process' network namespace. sysfs does not filter net/ based on the sysfs-reading process' current network namespace; compare this with procfs which always correctly adapts to the procfs-reading process' current PID namespace.
For instance, on a Raspberry Pi 4B with Ubuntu 21.10 ethtool -i eth0 for the integrated eth0 HW NIC just draws a literal blank:
bus-info:
The eth0 device seems to be located here: /sys/devices/platform/emmc2bus/subsystem/devices/fd580000.ethernet/.
Plugging in an USB-based Ethernet dongle and then querying it I get:
bus-info: usb-0000:01:00.0-1.1
Unfortunately, that's not a directly valid item in, say, /sys/devices/...
How are the bus-info addresses reported by the ethtool API (socket/RTNETLINK) to be resolved depending on the different "bus" systems?
When I run:
iwconfig wlan0 | grep -i quality
on my Raspberry Pi, with a wifi card installed, it reports back to me with:
Link Quality=99/100 Signal level=48/100 Noise level=0/100
How can I get iwconfig or some other network tool to report the signal level back to me in dBm instead of an arbitrary fraction?
It's a matter of the Network Interface Card or of the relatives Drivers.
To workaround you can use this simple formula I to do the conversion.
dbm=(fraction_of_total/2)-100
Of course is an approximation and results may vary from chipset to chipset but is how I solved.
You can alternatively find the correct Drivers if you know the wifi card is capable RSSI sampling. But that's usually not easy.
I'm trying to use a wlan adapter (TP-link TL-WN722N) in monitor mode to pick up RSS from signals in the environment (both beacons and clients). What I would like to do is to get the MAC address and RSS value into my own code somehow (preferably python). I'm planning to use these values for a rough estimate of locations of nearby devices.
I've looked into scapy, but it does not seem to provide RSS values.
tcpdump seems to be able to get both values, but I have been unable to catch client devices.
Is it possible?
If so can I filter MAC and RSS somehow?
I got it working with tcpdump!
To setup a monitor mode adapter, you first need to check which interface to use:
iw list
Select the correct phy (for me its phy1) and create an adapter (I called it moni0):
sudo iw phy phy1 interface add moni0 type monitor
Then add your adapter to the ifconfig:
sudo ifconfig moni0 up
See this guide for more details.
I used the following params for tcpdump to get the values that I needed. (you can pipe the output to your program, main.py in my case):
sudo tcpdump -n -e -tttt -vvvv -i moni0 | python main.py
You can find my project here.
i'm trying to get the TX re-transmission amount for a specific network interface on a Linux 2.6.33.3 kernel.
is there any Linux raw data i can use in order to get/calculate this kind of information?
i've tried netstat, but i couldn't find a way to get the retransmissions value for a specific interface.
with no other "quick" choice, what would it require from me in order to build a small app especially for that? listen to all outgoing packets using any capturing library and count.. what? duplicate packets? by some kind of a packet id?
i'm not a network pro.. am i suppose to find troubles in this kind of mission? (btw, i'll probably try to do it with python. any reason why not to?)
You can check how your interface is configured with the following commands:
mii-tool eth0
ethtool eth0
mii-diag eth0
Not all of them are installed by default in any Linux system, but they are definitely in the distributive and installable.
When you want to measure, how fast is your interface really, you can use dd + netcat:
host1$ cat /dev/zero | nc -l -p 3000
host2$ nc host1 3000 | dd of=/dev/null
^C
dd will write you with which speed was the retransmission between host1 and host2.
If you want per interface, try ifconfig eth0, you probably have what you want there. Just parse it through python.
I have a Dell Latitude E6410, which uses an Intel Ultimate N-6300 Wireless card. iwconfig does not show the Noise level of the wireless interface , wlan0. Does anyone know the reason for that?
precise#ubuntu:~/Desktop/Work/transmitter$ iwconfig
lo no wireless extensions.
mon0 IEEE 802.11abgn Mode:Monitor Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off
wlan0 IEEE 802.11abgn ESSID:"AirPennNet"
Mode:Managed Frequency:2.412 GHz Access Point: D8:C7:C8:D7:A6:C1
Bit Rate=130 Mb/s Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:on
Link Quality=65/70 Signal level=-45 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:800 Invalid misc:540 Missed beacon:0
eth0 no wireless extensions.
I tried to use cat /proc/net/wireless and got these results
Inter-| sta-| Quality | Discarded packets | Missed | WE
face | tus | link level noise | nwid crypt frag retry misc | beacon | 22
wlan0: 0000 64. -46. -256 0 0 0 818 566 0
Is -256 the noise level? How do i interpret this in dBm?
The answer lies within your driver and wireless card support.
I have a similar Dell Latitude model but with an Intel(R) Centrino(R) Advanced-N 6200 AGN wireless card. After issuing the iwconfig command, the output also revealed something similar - the Noise parameter was missing (this was done while in connection to an access point, of course).
Not happy with that, I got out another wireless card (Winstron NeWeb AR9170+AR9104 802.11abgn - basically a Proxim Wireless 802.11a/b/g/n Wi-Fi USB dongle) and issued the same command. The output was still the same, the Noise parameter was not there!
This wasn't what I had expected since I knew very well that we had used the same Wi-Fi dongle to detect the noise level associated with access points using a proprietary software by Fluke Network called the AirMagnet WiFi Analyzer PRO. I even tried downloading and re-compiling the Linux Wireless Tools package from Jean Tourrilhes' but similar output was shown as before.
The next step I did was to verify again that the WiFi dongle actually does show the WiFi noise levels under the AirMagnet WiFi Analyzer software. Sure enough, it does (as depicted in the attached image below).
The blue column with the header 'N' refers to the noise level. Mind you, the WiFi dongle also came along with a proprietary driver when we bought the AirMagnet software along with it.
Having done that, I decided to see what it would show for our internal WiFi card (Intel(R) Centrino(R) Advanced-N 6200 AGN). Here are the results:
All of them are displaying values of -100! So, I believe it all has something to do with the driver/card capabilities.