From owner-freebsd-mobile@FreeBSD.ORG Thu May 20 08:52:58 2004 Return-Path: Delivered-To: freebsd-mobile@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 592F516A4CE for ; Thu, 20 May 2004 08:52:58 -0700 (PDT) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FDAC43D39 for ; Thu, 20 May 2004 08:52:58 -0700 (PDT) (envelope-from sam@errno.com) Received: from [66.127.85.91] ([66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.6) with ESMTP id i4KFquWR069673 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Thu, 20 May 2004 08:52:56 -0700 (PDT) (envelope-from sam@errno.com) From: Sam Leffler Organization: Errno Consulting To: Fish Date: Thu, 20 May 2004 08:50:29 -0700 User-Agent: KMail/1.6.1 References: <200405200904.37966.fish@fish-mail.com> <200405200825.06207.sam@errno.com> <200405201138.52801.fish@fish-mail.com> In-Reply-To: <200405201138.52801.fish@fish-mail.com> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200405200850.29662.sam@errno.com> cc: freebsd-mobile@freebsd.org Subject: Re: Orinoco Wireless Card and Monitor Mode w/ Kismet - No Longer Working? X-BeenThere: freebsd-mobile@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Mobile computing with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 May 2004 15:52:58 -0000 On Thursday 20 May 2004 08:38 am, Fish wrote: > On Thursday 20 May 2004 11:25 am, Sam Leffler wrote: > > On Thursday 20 May 2004 06:04 am, Fish wrote: > > > When I built from source I configured with --enable-syspcap and used > > > source=radiotap_fbsd_b,wi0,wtapb,10 as my source. > > > > You didn't mention what kernel you're running. radiotap support should > > work fine in current. > > > > Sam > > Sorry, thought I said I was running -current, guess not. > > bash-2.05b$ uname -a > FreeBSD somethingwicked 5.2-CURRENT FreeBSD 5.2-CURRENT #0: Sun May 16 > 23:57:02 EDT 2004 fish@somethingwicked:/usr/obj/usr/src/sys/CURRENT-TWO > i386 > > Here's the console output when I run the server... > > bash-2.05b$ sudo kismet_server > Will drop privs to fish (1001) gid 1001 > No specific sources given to be enabled, all will be enabled. > Enabling channel hopping. > Disabling channel splitting. > Source 0 (wtapb): Enabling monitor mode for radiotap_fbsd_b source > interface wi0 channel 10... > Source 0 (wtapb): Opening radiotap_fbsd_b source interface wi0... > WARNING: pcap reports link type of EN10MB but we'll fake it on BSD. Note this is wrong. > This may not work the way we want it to. > WARNING: Some Free- and Net- BSD drivers do not report rfmon packets > correctly. Kismet will probably not run correctly. For better > support, you should upgrade to a version of *BSD with Radiotap. > Spawned channelc control process 12761 > Dropped privs to fish (1001) gid 1001 > Allowing clients to fetch WEP keys. > Logging networks to /home/fish/kismet/20040520-Kismet-1-network.txt > Logging cryptographically weak packets > to /home/fish/kismet/20040520-Kismet-1-weak.txt > Logging cisco product information > to /home/fish/kismet/20040520-Kismet-1-cisco.txt > Logging data to /home/fish/kismet/20040520-Kismet-1-dump.txt > Writing data files to disk every 300 seconds. > Mangling encrypted and fuzzy data packets. > Tracking probe responses and associating probe networks. > Reading AP manufacturer data and defaults from /usr/local/etc/ap_manuf > Reading client manufacturer data and defaults from > /usr/local/etc/client_manuf Dump file format: wiretap (local code) dump > Crypt file format: airsnort (weak packet) dump > Kismet 2004.04.R1 (Kismet) > Logging data networks weak cisco > Listening on port 2501. > Allowing connections from 127.0.0.1/255.255.255.255 > Registering builtin client/server protocols... > Registering requested alerts... > Registering builtin timer events... > Gathering packets... > ^CDidn't detect any networks, unlinking network list. > Didn't detect any Cisco Discovery Packets, unlinking cisco dump > Didn't capture any packets, unlinking dump file > Didn't see any weak encryption packets, unlinking weak file > Sending termination request to channel control child 12761... > Waiting for channel control child 12761 to exit... > WARNING: Sometimes cards don't always come out of monitor mode > cleanly. If your card is not fully working, you may need to > restart or reconfigure it for normal operation. > Kismet exiting. > > Anything look amiss to anyone? To get radiotap-encapsulated frames you need to set the pcap link type to IEEE802_11_RADIO. You are sampling packets at the Ethernet level which means you won't see any of the 802.11 management frames that kismet needs to identify nodes in the network. An up to date kismet should do this automatically. There are versions of tcpdump that can do this too, but I believe you need the version from the ports tree as the mods haven't (yet) been incorporated in the system. Something like tcpdump -i wi0 -y should display the set of available link types and then tcpdump -i wi0 -L IEEE802_11_RADIO should work. If that's ok then your problem is with kismet; you must have the wrong sources. I always just take the most current code from CVS. Sam