× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Start a New Discussion

Announcements

Polls
What is your Experience with NETGEAR Insight cloud management?
Vote
Hide Results
Top Contributors
See All
0 Kudos

tcpdump does not decode Prism radio header (wireless interface)

Status: New Idea Submitted by Follower on ‎2017-11-01 10:13 PM
Comment

Please update the version of tcpdump that's included in the WAC720 and WAC510 access point (and other WiFi routers/access points). The version currently installed relies on a buggy libpcap that incorrectly processes the Prism radio header. As a result, running a packet capture on the radio interface results on undecodable frames. Please note that the problem is in the pcap library, not tcpdump (the pcap library is static linked into tcpdump). This is the version of tcpdump currently installed:

# tcpdump -V
tcpdump version 3.9.8
libpcap version 1.1.1

 

This is what happens when the current version of tcpdump is run on a radio interface (notice the decodes are useless):

# tcpdump -i mon0 -n

tcpdump: WARNING: mon0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on mon0, link-type PRISM_HEADER (802.11 plus Prism header), capture size 96 bytes
16:25:39.368772 [|802.11]
16:25:39.395357 [|802.11]
16:25:39.396201 [|802.11]
16:25:39.408759 [|802.11]
16:25:39.415976 [|802.11]
16:25:39.416788 [|802.11]
16:25:39.448778 [|802.11]

This is an updated version of tcpdump:

# /tmp/tcpdump -V
tcpdump version 4.7.4
libpcap version 1.7.3

 

This is what happens if I use an updated version of tcpdump (notice the decodes are sensible):

# /tmp/tcpdump -i mon0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on mon0, link-type PRISM_HEADER (802.11 plus Prism header), capture size 262144 bytes
16:26:44.309540 Probe Request (Carioca_5G) [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit]
16:26:44.319537 Probe Request (Carioca_5G) [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit]
16:26:49.047216 Probe Request () [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit]
16:26:49.048028 Acknowledgment RA:9c:3d:cf:ea:67:69
16:26:49.087172 Probe Request () [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit]
16:26:49.088047 Acknowledgment RA:9c:3d:cf:ea:67:69
16:26:49.127191 Probe Request () [6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 Mbit]
16:26:49.127972 Acknowledgment RA:9c:3d:cf:ea:67:69

You can download the updated version of tcpdump using this command: curl -k -o /tmp/tcpdump https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/arm/tcpdump

See more ideas labeled with: