First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Monitor Mode and WiFi multicast

Hello,

I have setup a wireless interface in monitor mode as I am attempting to see multicast traffic I am sending from one device to another device over an access point. I am aware that the link from a device to the AP is always unicast and only once data reaches the AP it can be sent as multicast.

However, my capture only ever shows the retry of the multicast data fro the original source to the AP. I never see non-re-transmitted packets from source to AP and I never see any multicast data from the AP to a subscribed client. I didn't think an interface in monitor mode would need to join via IGMP. Is there a something I am missing?

Thanks!

alphonso's avatar
3
alphonso
asked 2019-08-14 18:25:14 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Multicast handling in wifi can vary based on settings and hardware used. I suggest you upload a capture file so we can see what is happening at the frame level.

A wireless adapter in monitor/promiscuous mode will not need IGMP to pick up traffic in the air, as long as it is tuned to the correct channel, can manage the modulation, is close enough, etc.

If you only see retries, maybe the AP is not picking up the data at all so would then never be sent to the multicast receiver. Most drivers have a datarate selection algorithm where retries might be sent at a lower datarate; depends heavily on the driver. This could explain why you don't see the original, but perhaps can see the retries - you can't pick up the highest modulation frames, but can pick up lower ones.

Bob Jones's avatar Bob Jones (2019-08-14 20:45:57 +0000) edit
more
  • delete

Sure, here is a capture:

https://drive.google.com/open?id=1rgc...

My example has me sending out a packet to 224.1.1.18 every 0.5 seconds. In the payload I have the packet serialized starting with 1, and some time stamps. At 18.5 seconds in (Wireshark No. 929) I get my first instance of retransmission with my serial number 64. Then again at 24.5 seconds with Wireshark packet 1238 and my 76, which that same packet was then retried again at Wireshark packet 1242. My monitor mode WiFi interface was within feet of the AP.

alphonso's avatar alphonso (2019-08-14 21:03:29 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

For the sample trace, apply this filter: 

wlan.addr == c8:3d:d4:a0:94:45

Look right before the referenced multicast frame at 929; see all of the CTS and Block ACK frames? Each of these pairs is very likely a successful unicast frame transfer between client and AP that your capture system did not pick up. Signal strength is OK, so I bet client/AP are using 802.11n modulations but your adapter is only picking up 802.11bg. Until retries drop modulation/datarate to levels that your capture system can pick up, you will continue to miss the bulk of your data traffic.

image description

The beacon for this network indicates that it is HT capable with LDPC support, SGI, 2SS. You can either try a different capture adapter or reduce the datarates on the AP by disabling 802.11n support as a test. Then you should see the bulk of the traffic, as you expect.

Bob Jones's avatar
1.5k
Bob Jones
answered 2019-08-14 21:25:30 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Alright that makes a lot of sense. I will definitely give that a go. Thank you so much for your quick responses. Sometimes you go so deep you forget the obvious things.

alphonso's avatar alphonso (2019-08-14 21:31:02 +0000) edit
more
  • delete

If/when the answer is sufficient, please accept for others to know the issue is resolved.

Bob Jones's avatar Bob Jones (2019-08-14 21:35:01 +0000) edit
more
  • delete

Absolutely. I'll test this out in the morning and follow up with appropriate actions.

alphonso's avatar alphonso (2019-08-14 21:36:13 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer