calebmadrigal
Monitor mode - suggestions
Hi !
Very nice project, a few remarks:
-
on OSX, our latest versions auto-start monitor mode using a trick used in tcpdump https://github.com/secdev/scapy/blob/master/scapy/arch/bpf/supersocket.py You need to check what I say, but monitor=True should be enough on OSX, so you don’t have to use your dirty tricks
-
There are some useful functions, such as
>>> get_if_list()
['tun0', 'enp0s3', 'lo']
, or consts
scapy.consts.DARWIN
scapy.consts.LINUX
to help you reduce your metrics.
We should be merging soon the RadioTap dbm fix, sorry for the wait
Hey @gpotter2, thanks for the suggestions! Ya, definitely looking forward to that RadioTap fix.
So about the OSX monitor mode, I'm glad you brought that up. I've tried the monitor=True, and it works well. But there is one problem (for my uses) - while it does put the interface in monitor mode, it doesn't fully disable managed mode, so I can't switch channels. This can be seen using the airport command like this:
In one terminal:
>>> import scapy.all as scapy
>>> scapy.sniff(iface='en0', prn=lambda p: p.summary(), monitor=True)
In another terminal (after running the above):
$ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I
agrCtlRSSI: -62
agrExtRSSI: 0
agrCtlNoise: -93
agrExtNoise: 0
state: running
op mode: station monitor
lastTxRate: 216
maxRate: 400
lastAssocStatus: 0
802.11 auth: open
link auth: none
BSSID: 82:2a:a8:55:71:15
SSID: colectivo
MCS: 5
channel: 157,1
As you can see, the op mode is station monitor. And when I try switching to a different channel, it doesn't work:
bash-4.4# /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=6
bash-4.4# /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I
agrCtlRSSI: -62
agrExtRSSI: 0
agrCtlNoise: -93
agrExtNoise: 0
state: running
op mode: station monitor
lastTxRate: 135
maxRate: 400
lastAssocStatus: 0
802.11 auth: open
link auth: none
BSSID: 82:2a:a8:55:71:15
SSID: colectivo
MCS: 7
channel: 157,1
However, when I do that horribly dirty hack (running /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport sniff en0), it completely disables station mode, and allows me to switch channels. You can notice below, that the op mode is just monitor below (after running this airport sniff en0 1 command):
bash-4.4# /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=6
bash-4.4# /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I
agrCtlRSSI: 0
agrExtRSSI: 0
agrCtlNoise: 0
agrExtNoise: 0
state: init
op mode: monitor
lastTxRate: 0
maxRate: 0
lastAssocStatus: 65535
802.11 auth: open
link auth: none
BSSID: 0:0:0:0:0:0
SSID:
MCS: -1
channel: 6
And, as you can see, channel switching works.
I haven't had time yet to try to determine what the airport command is doing different to fully disable station (managed) mode. If you have any ideas, let me know. If I find anything interesting, I'll definitely share it with you guys - could be a nice little enhancement to scapy. I'm not sure about other use cases, but I think others might benefit from being in fully non-managed mode when sniffing in monitor mode.
Btw, I appreciate all your work on scapy - it's one of my favorite libraries.
Hi !
It would be great if you could submit an issue for the “managed monitor mode issue”, on the scapy issues page
I can’t guarantee you that we’ll find a fix, as I’m not the OSX expert of scapy, but it’s definatly a bug that should be reported...
@calebmadrigal Hi, we just released 2.4.2.
It sadly doesn’t have any monitor mode fixes, but it will break the ‘notdecoded’ hack, as the field will now be populated.
guedou commented about 1 hour ago Sorry for the looong delay. I do not boot macOS often ...
This behavior is expected that the station monitor mode is used to sniff raw 802.11 frames. Sniffing with tcpdump -I does exactly the same. When sniff() stops the mode goes back station.