From owner-freebsd-wireless@FreeBSD.ORG  Fri Sep 20 22:29:36 2013
Return-Path: <owner-freebsd-wireless@FreeBSD.ORG>
Delivered-To: freebsd-wireless@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 5779979C
 for <freebsd-wireless@freebsd.org>; Fri, 20 Sep 2013 22:29:36 +0000 (UTC)
 (envelope-from hiren.panchasara@gmail.com)
Received: from mail-ee0-x22d.google.com (mail-ee0-x22d.google.com
 [IPv6:2a00:1450:4013:c00::22d])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id D67442641
 for <freebsd-wireless@freebsd.org>; Fri, 20 Sep 2013 22:29:35 +0000 (UTC)
Received: by mail-ee0-f45.google.com with SMTP id c50so543467eek.18
 for <freebsd-wireless@freebsd.org>; Fri, 20 Sep 2013 15:29:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=zHD9qoiBJ+4/RtFMX7CMYcZCPDVgVoKCMnEPeqfORaw=;
 b=iwQVY0pbDOrQEQ80/GFUvblFLFeNK7CRDD6qngIW3Oxuax8R+0DGLXAFmz4U3ziY8T
 0lerJd3p5MJOWOry0AihE1D/4LbRVCVXjvpY9HMZ7++oO459l8EcxockM/fi9soqnD6z
 AldNA9HLhPhr3UlpCFQBWUmKBPdoQuqRMiNGQnK7U8TLCuH13d8OraMW9NmdDsymWNNF
 ylazb/0gEnafUc8OUxI5D4cVYfeadJzcnyfWc967159u4PSKAstCp0xFYVuXpvGmyQU1
 9fD6CApYPCa1y4ea0WA79Xy/fbYNf4ImqlAWQU/kHbgsdr40zgCl6KgS0DvwXJoPjkKr
 EShA==
MIME-Version: 1.0
X-Received: by 10.14.88.65 with SMTP id z41mr13767524eee.38.1379716174320;
 Fri, 20 Sep 2013 15:29:34 -0700 (PDT)
Received: by 10.14.105.137 with HTTP; Fri, 20 Sep 2013 15:29:34 -0700 (PDT)
Date: Fri, 20 Sep 2013 15:29:34 -0700
Message-ID: <CALCpEUEti7WhS8rcvorrRUirEmDHEWL8fva6C=7_=zHXM_Vk2w@mail.gmail.com>
Subject: ath0 "monitor mode" mystery
From: hiren panchasara <hiren.panchasara@gmail.com>
To: "freebsd-wireless@freebsd.org" <freebsd-wireless@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 22:29:36 -0000

I am trying to enable (what I think is) monitor mode on PicoStation M2HP.

I am confused though. "man ifconfig" is also showing 2 different "monitor"
things. I tried both below:

# ifconfig wlan0 create wlandev ath0
wlan0: Ethernet address: dc:9f:db:6a:3e:9e
# ifconfig wlan0 down
# ifconfig wlan0 monitor
# ifconfig wlan0 channel 4
# ifconfig wlan0 up
#
# ifconfig wlan0
wlan0: flags=48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,MONITOR> metric 0
mtu 1500
        ether dc:9f:db:6a:3e:9e
        media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
        status: no carrier
        ssid "" channel 4 (2427 MHz 11g)
        regdomain FCC3 country US indoor ecm authmode OPEN privacy OFF
        txpower 30 bmiss 7 scanvalid 60 protmode CTS wme burst bintval 0
#

And now I get things via:
# tcpdump -ni wlan0 -y IEEE802_11_RADIO
wlan0: promiscuous mode enabled
wlan0: promiscuous mode disabled
wlan0: promiscuous mode enabled
tcpdump: data link type IEEE802_11_RADIO
tcpdump: WARNING: wlan0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus radiotap
header), capture size 65535 bytes
18:56:23.803065 9838362989us tsft 1.0 Mb/s 60dBm tx power antenna 0 2427
MHz 11g Probe Request () [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit]
18:56:23.994159 9838553735us tsft 1.0 Mb/s -75dB signal -96dB noise antenna
1 2427 MHz 11g Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:56:23.995089 9838554678us tsft 1.0 Mb/s -75dB signal -96dB noise antenna
1 2427 MHz 11g Probe Request (Y!Office) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0
Mbit]
18:56:23.995979 9838555575us tsft 1.0 Mb/s -75dB signal -96dB noise antenna
1 2427 MHz 11g Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:56:24.002484 9838562077us tsft 1.0 Mb/s -76dB signal -96dB noise antenna
1 2427 MHz 11g Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:56:24.016082 9838576006us tsft 1.0 Mb/s 60dBm tx power antenna 0 2427
MHz 11g ht/40+ Probe Request () [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
Mbit]

But is this really a monitor mode? Not according to tcpdump.

What we are seeing above are beacons sent out by APs? How do we get probe
requests sent to APs by devices?

man tcpdump says:

-I     Put  the  interface in "monitor mode"; this is supported only on
              IEEE 802.11 Wi-Fi interfaces, and supported only on some
operat-
              ing systems.

              Note  that  in  monitor mode the adapter might disassociate
from
              the network with which it's associated, so that you will not
 be
              able to use any wireless networks with that adapter.  This
could
              prevent accessing files on a network server, or  resolving
 host
              names or network addresses, if you are capturing in monitor
mode
              and are not connected to another network with another adapter.

              This flag will affect the output of the -L flag.   If  -I
 isn't
              specified,  only  those  link-layer  types available when not
in
              monitor mode will be shown; if -I is specified, only those
link-
              layer types available when in monitor mode will be shown.

So I tried -I,

# tcpdump -Ii wlan0 -y IEEE802_11_RADIO
tcpdump: wlan0 is not a monitor mode VAP
To create a new monitor mode VAP use:
  ifconfig wlan1 create wlandev ath0 wlanmode monitor
and use wlan1 as the tcpdump interface
#

Okay, lets create wlan1 as suggested:

# ifconfig wlan1 create wlandev ath0 wlanmode monitor
wlan1: Ethernet address: dc:9f:db:6a:3e:9e
# ifconfig wlan1
wlan1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether dc:9f:db:6a:3e:9e
        media: IEEE 802.11 Wireless Ethernet autoselect <monitor>
(autoselect <monitor>)
        status: no carrier
        ssid "" channel 4 (2427 MHz 11g)
        regdomain FCC3 country US indoor ecm authmode OPEN privacy OFF
        txpower 30 scanvalid 60 protmode CTS wme burst bintval 0
#

See subtle difference between wlan0 and wlan1.

Still no success (but new error):
<code>
# tcpdump -Ii wlan1 -y IEEE802_11_RADIO
wlan1: promiscuous mode enabled
tcpdump: data link type IEEE802_11_RADIO
tcpdump: WARNING: wlan1: no IPv4 address assigned
ar5416StopDmaReceive: dma failed to stop in 10ms
AR_CR=0x00000024
AR_DIAG_SW=0x42000020
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan1, link-type IEEE802_11_RADIO (802.11 plus radiotap
header), capture size 65535 bytes
ar5416StopDmaReceive: dma failed to stop in 10ms
AR_CR=0x00000024
AR_DIAG_SW=0x42000020
ar5416StopDmaReceive: dma failed to stop in 10ms
AR_CR=0x00000024
AR_DIAG_SW=0x42000020
ar5416StopDmaReceive: dma failed to stop in 10ms
AR_CR=0x00000024
AR_DIAG_SW=0x42000020
ar5416StopDmaReceive: dma failed to stop in 10ms
AR_CR=0x00000024
AR_DIAG_SW=0x42000020
ar5416StopDmaReceive: dma failed to stop in 10ms
AR_CR=0x00000024
AR_DIAG_SW=0x42000020
ar5416StopDmaReceive: dma failed to stop in 10ms
AR_CR=0x00000024
AR_DIAG_SW=0x42000020
ar5416StopDmaReceive: dma failed to stop in 10ms
AR_CR=0x00000024
AR_DIAG_SW=0x42000020
ar5416StopDmaReceive: dma failed to stop in 10ms
AR_CR=0x00000024
AR_DIAG_SW=0x42000020
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
ar5416StopDmaReceive: dma failed to stop in 10ms
AR_CR=0x00000024
AR_DIAG_SW=0x42000020
wlan1: promiscuous mode disabled
#

I also tried to do mixed version of both wlan0 and wlan1:

# ifconfig wlan0 destroy
# ifconfig wlan0 create wlandev ath0 wlanmode monitor
wlan0: Ethernet address: dc:9f:db:6a:3e:9e
# ifconfig wlan0 monitor
#  ifconfig wlan0 channel 4
# ifconfig wlan0 up
ar5416PerCalibrationN: NF calibration didn't finish; delaying CCA
#
# ifconfig wlan0
wlan0: flags=48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,MONITOR> metric 0
mtu 1500
        ether dc:9f:db:6a:3e:9e
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11ng <monitor>
        status: running
        ssid "" channel 4 (2427 MHz 11g ht/40+) bssid dc:9f:db:6a:3e:9e
        regdomain FCC3 country US indoor ecm authmode OPEN privacy OFF
        txpower 30 scanvalid 60 protmode CTS ampdulimit 8k ampdudensity 8
        shortgi wme burst
#

But no success:

# tcpdump -Ii wlan0 -y IEEE802_11_RADIO
wlan0: promiscuous mode enabled
tcpdump: data link type IEEE802_11_RADIO
tcpdump: WARNING: wlan0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type IEEE802_11_RADIO (802.11 plus radiotap
header), capture size 65535 bytes
^C
0 packets capturwlan0: promiscuous mode disabled
ed
0 packets received by filter
0 packets dropped by kernel
#