4

I've 2 wireless interfaces one has the type of AP and the other has the type monitor.

the AP is attached to a bridge br-lan.

When I run for example:

tcpdump port 5201 -s 0 -ni wlan0

TCPdump is not able to capture any traffic, while if I run it without the "port 5201" filter it captures everything. The same situation if I filter only on "udp", it was not able to capture any single packet.

and when I run it on the br-lan interface using the exact filter:

tcpdump port 5201 -s 0 -ni br-lan

it works perfectly as I want, but the problem I'm not able to get the radiotap header in this case since it considers the bridge as Ethernet interface.

What's the solution in this case ? Is there any format to specify to filter in link type : IEEE802_11_Radio ?? Is there any specific tool to do that with wireless adapters?

Thanks in advance.

Update

What caused this issue is the WDS (Wireless Distributed System) enabled on the station device (My scenario is: two devices with openwrt in infrastructure mode). As soon as I reconfigured my station device not to use WDS, tcpdump worked correctly as I wanted. Still the real explanation why this happened is unknown.

if someone knows the reason or knows how to filter the traffic in WDS mode, please mention it in the answers since I've lost a feature because of disabling WDS.

Improve this question
6
  • "TCPdump is not able to capture any traffic while if I run it without the "udp" filter it captures everything". In the example you give, where you say it's "not able to capture any traffic", you're not running it with "udp" as a filter; do you mean "run it without a filter", i.e. tcpdump -s 0 -ni wlan0?
    – user164970
    Commented Apr 24, 2015 at 19:35
  • yeah I meant without the port or udp filter. i.e. exactly as you wrote: tcpdump -s 0 -ni wlan0 I wrote this because even if I filter on "udp" it won't capture any traffic. I will edit the question. Thanks
    – Alberto
    Commented Apr 24, 2015 at 23:10
  • So what happens if you use the filter "type data"? What does it print? Does it print anything recognizable as IP traffic, or just a bunch of "Data IV:xxx Pad yyy KeyID zzz" for various values of xxx, yyy, and zzz?
    – user164970
    Commented Apr 24, 2015 at 23:38
  • I think I'm able to get recognizable ip traffic. for example this is what I got when pinging the device that is sniffing with filter "type data": 23:58:13.016176 36.0 Mb/s [bit 15] CF +QoS IP 192.168.1.1 > 192.168.1.100: ICMP echo reply, id 42500, seq 9, length 64
    – Alberto
    Commented Apr 27, 2015 at 8:38
  • So do you see any UDP traffic with "type data" at a time when you know for certain that there's UDP traffic on your network?
    – user164970
    Commented Apr 27, 2015 at 17:50

1 Answer 1

Reset to default
0

I'm thinking that your traffic didn't have any traffic on port 5201 or UDP traffic. As for the header, tcpdump does have a "--monitor-mode" switch. Try that. It's supposed to drive a wireless interface into monitor mode, which is what you'll want to "see" the wireless info.

Whether or not --monitor-mode will work depends on a number of things: your wireless NIC will need to support monitor mode, tcpdump needs to be of a recent version, and your kernel drivers need to support the NIC properly (i.e., sometimes you need to build a specific driver which isn't part of a standard install).

Also, depending on the version of tcpdump, you might be able to drop the "-s 0" portion of your command. If you leave it off, tcpdump defaults to a snap length of 262144 bytes (okay, I had to look that up). Setting the snaplength to "0" accomplishes the same thing.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .