Using ath10k for WiFi capturing non-11ac traffic
michal.kazior at tieto.com
Mon Apr 13 22:38:03 PDT 2015
On 6 April 2015 at 21:49, Amato Carbonara <acarbonara13 at gmail.com> wrote:
> I have installed a WiFi adapter with the Qualcomm-Atheros QCA-9880
> chipset using the at10k drivers. I am using this WiFi adapter to
> capture WLAN traffic. The recommended firmware for capturing WiFi
> traffic is 10.1.467.2-1 per the website. See following link:
Generally the 10.x line is preferred for sniffing. You could also try 10.2.4.
> I have successfully installed the above firmware and have been using
> the adapter/driver to capture and decrypt all 802.11ac traffic.
> However, I have noticed some strange behavior when trying to decrypt
> other types of traffic such as:
> 1) 802.11a = not able to decrypt any traffic
> 2) 802.11n at 20MHz = able to decrypt only partial traffic
> 3) 802.11n at 40MHz = able to decrypt only partial traffic
> I have tried using the different "iw" and "iwconfig" commands to set
> the frequency and channel bandwidth (for example, iw dev wlan1 set
> freq 5180 HT20). Has anyone else seen this issue of not being able to
> decrypt all/some of the WiFi traffic?
`iwconfig` is an old program. You shouldn't use it. Just stick with `iw`.
To decrypt traffic you need to see keying handshake (both after
association and later for each rekeying). If sniffer misses that you
won't be able to decipher data either from the start or you'll stop
being able to decrypt multicast data after GTK rekeying.
Another thing is I've had numerous random problems with wireshark
refusing to decrypt frames reliably. I recall some older version would
get stuck and need the key configuration (in preferences window) to be
re-applied or the decrypt checkbox to be re-checked. YMMV.
More information about the ath10k