Martin Husemann
2021-05-24 12:19:20 UTC
Hey folks,
I am slightly confused about the bpf details for wireless devices.
First (minor nit) there is a bogus diagnostic printed by tcpdump when
trying to use monitor mode (-I) for non-montior-mode VAPs. It
tells me about the wrong mode VAP and claims:
To create a new montior mode VAP use:
ifconfig wlan1 create wlandev run0 wlanmode monitor
... which is nearly correct, but "wlan1" should be "wlan", and unfortunately
run(4) does not support mulitple VAPs, so I need to destroy wlan0 first.
(I tested on 12.1)
But that cosmetic issue asside, I am confused whether tcpdump -I should
have any effect at all (and if not, whether it would be better to just
reject the request).
My understanding was that a VAP in monitor mode automatically (and
exclusively) will provide IEEE802_11_RADIO type frames (i.e. with
radiotap header via the iv_rawbpf tap, and plain ethernet frames via
the default tap), while a VAP in any other mode will only/exclusively
provide IEEE802_11 type frames (i.e. w/o radiotap header).
There is no difference in tcpdump -L output with or without -I, and also
no difference for "wlandmode monitor" and other mode VAPs. I expected
no difference with -I vs. no -I, but I did expect a difference between
a monitor mode VAP and a VAP in other modes.
So I guess I am missing some part of the picture - any hints?
Martin
I am slightly confused about the bpf details for wireless devices.
First (minor nit) there is a bogus diagnostic printed by tcpdump when
trying to use monitor mode (-I) for non-montior-mode VAPs. It
tells me about the wrong mode VAP and claims:
To create a new montior mode VAP use:
ifconfig wlan1 create wlandev run0 wlanmode monitor
... which is nearly correct, but "wlan1" should be "wlan", and unfortunately
run(4) does not support mulitple VAPs, so I need to destroy wlan0 first.
(I tested on 12.1)
But that cosmetic issue asside, I am confused whether tcpdump -I should
have any effect at all (and if not, whether it would be better to just
reject the request).
My understanding was that a VAP in monitor mode automatically (and
exclusively) will provide IEEE802_11_RADIO type frames (i.e. with
radiotap header via the iv_rawbpf tap, and plain ethernet frames via
the default tap), while a VAP in any other mode will only/exclusively
provide IEEE802_11 type frames (i.e. w/o radiotap header).
There is no difference in tcpdump -L output with or without -I, and also
no difference for "wlandmode monitor" and other mode VAPs. I expected
no difference with -I vs. no -I, but I did expect a difference between
a monitor mode VAP and a VAP in other modes.
So I guess I am missing some part of the picture - any hints?
Martin