Revision history [back]
wifi monitor decrypt problem
Hello
I am trying to debug a connection problem with an arduino using wifi. Specifically I am trying to resolve a MQTT error, however in that effort I can't get to the point where I can debug the problem via decoding third party devices.
I have used the wiki to create a monitor interface. I have added my keyphrase:ssid pair in 802.11 keys. I have turned the arduino device off and on so that it rejoins the network in an effort to capture the EAPOL handshaking sequnce. I can't see decoded frames in wireshark so perhaps I am not capturing the EAPOL sequence.
If I add to the Display Filter eapol, the capture shows two frames. Both have the router as the src and the arduino as the destination. The frame info for these two frames say Message 1 of 4 and message 3 of 4. The other two don't show up. Is this a problem?
EDIT to show more detail about my setup.
This is the script I use to bring up mon0.
#!/bin/bash
# From wireshark wiki.
#ORIG DEFAULT_WIPHY=phy0
DEFAULT_WIPHY=wlx00c0ca6d23eb
#DEFAULT_WIPHY=wlp4s0
#ORIG WIPHY=${1:-$DEFAULT_WIPHY}
WIPHY=${DEFAULT_WIPHY}
DEFAULT_MONIF=mon0
#ORIG MONIF=${2:-$DEFAULT_MONIF}
MONIF=${DEFAULT_MONIF}
# The original src gives a valid reason to
# have the channels to be the same.
DEFAULT_CHANNEL=6
#sudo ip link set mon0 down
echo "Setting up wifi monitor interface on" $WIPHY
# This iw command can only be done once
# This command below runs once and creates the mon0 interface. I've
# tried with software to remove the mon0 interface and redo the command
# without an error. I never could do that. The only way is to remove
# the usb connection or reboot.
sudo iw $WIPHY interface add mon0 type monitor flags none control otherbss
echo "Bringing up $MONIF"
#ORIG sudo ifconfig mon0 up promisc
# I did this by accident. In case it mattered. I already had the network
# in use so no telling.
#sudo ip link set $DEFAULT_WIPHY down
#JFDecho sudo ip link set $DEFAULT_WIPHY up
#JFDsudo ip link set $DEFAULT_WIPHY up
sudo ip link set $DEFAULT_WIPHY promisc on
sudo ip link set mon0 promisc on
sudo ip link set $DEFAULT_WIPHY up
sudo ip link set mon0 up
echo "Setting wifi channel to" $CHANNEL
sudo iw dev $DEFAULT_WIPHY set channel $DEFAULT_CHANNEL
sudo iw dev mon0 set channel $DEFAULT_CHANNEL
echo Still need to configure interface options in Wireshark for monitor mode for mon0.
echo Use capture on interface mon0 afterwards.
echo Some errors will generate when run twice.
echo Verify the ssid, channel and interface names
sudo iw dev
echo verify the promisc flag with these commands
sudo ip addr show $WIPHY
sudo ip addr show mon0
echo The arduino is captured using this display filter
echo F8:F0:5:EC:83:8
echo wlan.addr == F8:F0:5:EC:83:8
Here is the output of the above script
Use capture on interface mon0 afterwards.
Some errors will generate when run twice.
Verify the ssid, channel and interface names
phy#3
Interface mon0
ifindex 11
wdev 0x300000002
addr 00:c0:ca:6d:23:eb
type monitor
txpower 30.00 dBm
Interface wlx00c0ca6d23eb
ifindex 10
wdev 0x300000001
addr 00:c0:ca:6d:23:eb
ssid WRCNC Guest
type managed
channel 11 (2462 MHz), width: 20 MHz (no HT), center1: 2462 MHz
txpower 30.00 dBm
phy#0
Unnamed/non-netdev interface
wdev 0x5
addr a0:d3:7a:d9:da:b0
type P2P-device
txpower 0.00 dBm
Interface phy0.mon
ifindex 7
wdev 0x3
addr a0:d3:7a:d9:da:af
type monitor
txpower 0.00 dBm
Interface wlp4s0
ifindex 3
wdev 0x1
addr a0:d3:7a:d9:da:af
ssid WRCNC Guest
type managed
channel 36 (5180 MHz), width: 40 MHz, center1: 5190 MHz
txpower 22.00 dBm
verify the promisc flag with these commands
10: wlx00c0ca6d23eb: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:c0:ca:6d:23:eb brd ff:ff:ff:ff:ff:ff
inet 192.168.3.176/24 brd 192.168.3.255 scope global dynamic noprefixroute wlx00c0ca6d23eb
valid_lft 86366sec preferred_lft 86366sec
inet6 fe80::e037:e7b0:9364:af07/64 scope link noprefixroute
valid_lft forever preferred_lft forever
11: mon0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ieee802.11/radiotap 00:c0:ca:6d:23:eb brd ff:ff:ff:ff:ff:ff
The arduino is captured using this display filter
F8:F0:5:EC:83:8
wlan.addr == F8:F0:5:EC:83:8
Here is the EAPOL Message 1 of 4 highlighted. Below that you see a response and then later the 3 of 4.
The markdown does not show an https url? Here is the URL for the decode screenshot. https://imgur.com/WESPxse
wifi monitor decrypt problem
Hello
I am trying to debug a connection problem with an arduino using wifi. Specifically I am trying to resolve a MQTT error, however in that effort I can't get to the point where I can debug the problem via decoding third party devices.
I have used the wiki to create a monitor interface. I have added my keyphrase:ssid pair in 802.11 keys. I have turned the arduino device off and on so that it rejoins the network in an effort to capture the EAPOL handshaking sequnce. I can't see decoded frames in wireshark so perhaps I am not capturing the EAPOL sequence.
If I add to the Display Filter eapol, the capture shows two frames. Both have the router as the src and the arduino as the destination. The frame info for these two frames say Message 1 of 4 and message 3 of 4. The other two don't show up. Is this a problem?
EDIT to show more detail about my setup.
This is the script I use to bring up mon0.
#!/bin/bash
# From wireshark wiki.
#ORIG DEFAULT_WIPHY=phy0
DEFAULT_WIPHY=wlx00c0ca6d23eb
#DEFAULT_WIPHY=wlp4s0
#ORIG WIPHY=${1:-$DEFAULT_WIPHY}
WIPHY=${DEFAULT_WIPHY}
DEFAULT_MONIF=mon0
#ORIG MONIF=${2:-$DEFAULT_MONIF}
MONIF=${DEFAULT_MONIF}
# The original src gives a valid reason to
# have the channels to be the same.
DEFAULT_CHANNEL=6
#sudo ip link set mon0 down
echo "Setting up wifi monitor interface on" $WIPHY
# This iw command can only be done once
# This command below runs once and creates the mon0 interface. I've
# tried with software to remove the mon0 interface and redo the command
# without an error. I never could do that. The only way is to remove
# the usb connection or reboot.
sudo iw $WIPHY interface add mon0 type monitor flags none control otherbss
echo "Bringing up $MONIF"
#ORIG sudo ifconfig mon0 up promisc
# I did this by accident. In case it mattered. I already had the network
# in use so no telling.
#sudo ip link set $DEFAULT_WIPHY down
#JFDecho sudo ip link set $DEFAULT_WIPHY up
#JFDsudo ip link set $DEFAULT_WIPHY up
sudo ip link set $DEFAULT_WIPHY promisc on
sudo ip link set mon0 promisc on
sudo ip link set $DEFAULT_WIPHY up
sudo ip link set mon0 up
echo "Setting wifi channel to" $CHANNEL
sudo iw dev $DEFAULT_WIPHY set channel $DEFAULT_CHANNEL
sudo iw dev mon0 set channel $DEFAULT_CHANNEL
echo Still need to configure interface options in Wireshark for monitor mode for mon0.
echo Use capture on interface mon0 afterwards.
echo Some errors will generate when run twice.
echo Verify the ssid, channel and interface names
sudo iw dev
echo verify the promisc flag with these commands
sudo ip addr show $WIPHY
sudo ip addr show mon0
echo The arduino is captured using this display filter
echo F8:F0:5:EC:83:8
echo wlan.addr == F8:F0:5:EC:83:8
Here is the output of the above script
Use capture on interface mon0 afterwards.
Some errors will generate when run twice.
Verify the ssid, channel and interface names
phy#3
Interface mon0
ifindex 11
wdev 0x300000002
addr 00:c0:ca:6d:23:eb
type monitor
txpower 30.00 dBm
Interface wlx00c0ca6d23eb
ifindex 10
wdev 0x300000001
addr 00:c0:ca:6d:23:eb
ssid WRCNC Guest
type managed
channel 11 (2462 MHz), width: 20 MHz (no HT), center1: 2462 MHz
txpower 30.00 dBm
phy#0
Unnamed/non-netdev interface
wdev 0x5
addr a0:d3:7a:d9:da:b0
type P2P-device
txpower 0.00 dBm
Interface phy0.mon
ifindex 7
wdev 0x3
addr a0:d3:7a:d9:da:af
type monitor
txpower 0.00 dBm
Interface wlp4s0
ifindex 3
wdev 0x1
addr a0:d3:7a:d9:da:af
ssid WRCNC Guest
type managed
channel 36 (5180 MHz), width: 40 MHz, center1: 5190 MHz
txpower 22.00 dBm
verify the promisc flag with these commands
10: wlx00c0ca6d23eb: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:c0:ca:6d:23:eb brd ff:ff:ff:ff:ff:ff
inet 192.168.3.176/24 brd 192.168.3.255 scope global dynamic noprefixroute wlx00c0ca6d23eb
valid_lft 86366sec preferred_lft 86366sec
inet6 fe80::e037:e7b0:9364:af07/64 scope link noprefixroute
valid_lft forever preferred_lft forever
11: mon0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ieee802.11/radiotap 00:c0:ca:6d:23:eb brd ff:ff:ff:ff:ff:ff
The arduino is captured using this display filter
F8:F0:5:EC:83:8
wlan.addr == F8:F0:5:EC:83:8
Here is the EAPOL Message 1 of 4 highlighted. Below that you see a response and then later the 3 of 4.
The markdown does not show an https url? Here is the URL for the decode screenshot. https://imgur.com/WESPxse
wifi monitor decrypt problem
Hello
I am trying to debug a connection problem with an arduino using wifi. Specifically I am trying to resolve a MQTT error, however in that effort I can't get to the point where I can debug the problem via decoding third party devices.
I have used the wiki to create a monitor interface. I have added my keyphrase:ssid pair in 802.11 keys. I have turned the arduino device off and on so that it rejoins the network in an effort to capture the EAPOL handshaking sequnce. I can't see decoded frames in wireshark so perhaps I am not capturing the EAPOL sequence.
If I add to the Display Filter eapol, the capture shows two frames. Both have the router as the src and the arduino as the destination. The frame info for these two frames say Message 1 of 4 and message 3 of 4. The other two don't show up. Is this a problem?
EDIT to show more detail about my setup.
This is the script I use to bring up mon0.
#!/bin/bash
# From wireshark wiki.
#ORIG DEFAULT_WIPHY=phy0
DEFAULT_WIPHY=wlx00c0ca6d23eb
#DEFAULT_WIPHY=wlp4s0
#ORIG WIPHY=${1:-$DEFAULT_WIPHY}
WIPHY=${DEFAULT_WIPHY}
DEFAULT_MONIF=mon0
#ORIG MONIF=${2:-$DEFAULT_MONIF}
MONIF=${DEFAULT_MONIF}
# The original src gives a valid reason to
# have the channels to be the same.
DEFAULT_CHANNEL=6
#sudo ip link set mon0 down
echo "Setting up wifi monitor interface on" $WIPHY
# This iw command can only be done once
# This command below runs once and creates the mon0 interface. I've
# tried with software to remove the mon0 interface and redo the command
# without an error. I never could do that. The only way is to remove
# the usb connection or reboot.
sudo iw $WIPHY interface add mon0 type monitor flags none control otherbss
echo "Bringing up $MONIF"
#ORIG sudo ifconfig mon0 up promisc
# I did this by accident. In case it mattered. I already had the network
# in use so no telling.
#sudo ip link set $DEFAULT_WIPHY down
#JFDecho sudo ip link set $DEFAULT_WIPHY up
#JFDsudo ip link set $DEFAULT_WIPHY up
sudo ip link set $DEFAULT_WIPHY promisc on
sudo ip link set mon0 promisc on
sudo ip link set $DEFAULT_WIPHY up
sudo ip link set mon0 up
echo "Setting wifi channel to" $CHANNEL
sudo iw dev $DEFAULT_WIPHY set channel $DEFAULT_CHANNEL
sudo iw dev mon0 set channel $DEFAULT_CHANNEL
echo Still need to configure interface options in Wireshark for monitor mode for mon0.
echo Use capture on interface mon0 afterwards.
echo Some errors will generate when run twice.
echo Verify the ssid, channel and interface names
sudo iw dev
echo verify the promisc flag with these commands
sudo ip addr show $WIPHY
sudo ip addr show mon0
echo The arduino is captured using this display filter
echo F8:F0:5:EC:83:8
echo wlan.addr == F8:F0:5:EC:83:8
Here is the output of the above script
Use capture on interface mon0 afterwards.
Some errors will generate when run twice.
Verify the ssid, channel and interface names
phy#3
Interface mon0
ifindex 11
wdev 0x300000002
addr 00:c0:ca:6d:23:eb
type monitor
txpower 30.00 dBm
Interface wlx00c0ca6d23eb
ifindex 10
wdev 0x300000001
addr 00:c0:ca:6d:23:eb
ssid WRCNC Guest
type managed
channel 11 (2462 MHz), width: 20 MHz (no HT), center1: 2462 MHz
txpower 30.00 dBm
phy#0
Unnamed/non-netdev interface
wdev 0x5
addr a0:d3:7a:d9:da:b0
type P2P-device
txpower 0.00 dBm
Interface phy0.mon
ifindex 7
wdev 0x3
addr a0:d3:7a:d9:da:af
type monitor
txpower 0.00 dBm
Interface wlp4s0
ifindex 3
wdev 0x1
addr a0:d3:7a:d9:da:af
ssid WRCNC Guest
type managed
channel 36 (5180 MHz), width: 40 MHz, center1: 5190 MHz
txpower 22.00 dBm
verify the promisc flag with these commands
10: wlx00c0ca6d23eb: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:c0:ca:6d:23:eb brd ff:ff:ff:ff:ff:ff
inet 192.168.3.176/24 brd 192.168.3.255 scope global dynamic noprefixroute wlx00c0ca6d23eb
valid_lft 86366sec preferred_lft 86366sec
inet6 fe80::e037:e7b0:9364:af07/64 scope link noprefixroute
valid_lft forever preferred_lft forever
11: mon0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ieee802.11/radiotap 00:c0:ca:6d:23:eb brd ff:ff:ff:ff:ff:ff
The arduino is captured using this display filter
F8:F0:5:EC:83:8
wlan.addr == F8:F0:5:EC:83:8
Here is the EAPOL Message 1 of 4 highlighted. Below that you see a response and then later the 3 of 4.