Using ath10k for WiFi capturing non-11ac traffic
Amato Carbonara
acarbonara13 at gmail.com
Tue Apr 14 11:04:46 PDT 2015
Hello Michal,
I was able to decrypt all traffic types (11a, 11n at 20MHz, 11n at
40MHz and 11ac at 80MHz) using the 10.1.467.2-1 firmware on the
QCA9880 chipset. The problem was not with Wireshark. I had to
install backports for the at10k drivers to make it work. Procedures
are documented here:
https://wireless.wiki.kernel.org/en/users/Drivers/ath10k/backports
Thank you for your help,
Amato
On Tue, Apr 14, 2015 at 1:38 AM, Michal Kazior <michal.kazior at tieto.com> wrote:
> On 6 April 2015 at 21:49, Amato Carbonara <acarbonara13 at gmail.com> wrote:
>> Hello,
>> I have installed a WiFi adapter with the Qualcomm-Atheros QCA-9880
>> chipset using the at10k drivers. I am using this WiFi adapter to
>> capture WLAN traffic. The recommended firmware for capturing WiFi
>> traffic is 10.1.467.2-1 per the website. See following link:
>> https://wireless.wiki.kernel.org/en/users/drivers/ath10k/monitor
>
> Generally the 10.x line is preferred for sniffing. You could also try 10.2.4.
>
>
>> I have successfully installed the above firmware and have been using
>> the adapter/driver to capture and decrypt all 802.11ac traffic.
>> However, I have noticed some strange behavior when trying to decrypt
>> other types of traffic such as:
>> 1) 802.11a = not able to decrypt any traffic
>> 2) 802.11n at 20MHz = able to decrypt only partial traffic
>> 3) 802.11n at 40MHz = able to decrypt only partial traffic
>>
>> I have tried using the different "iw" and "iwconfig" commands to set
>> the frequency and channel bandwidth (for example, iw dev wlan1 set
>> freq 5180 HT20). Has anyone else seen this issue of not being able to
>> decrypt all/some of the WiFi traffic?
>
> `iwconfig` is an old program. You shouldn't use it. Just stick with `iw`.
>
> To decrypt traffic you need to see keying handshake (both after
> association and later for each rekeying). If sniffer misses that you
> won't be able to decipher data either from the start or you'll stop
> being able to decrypt multicast data after GTK rekeying.
>
> Another thing is I've had numerous random problems with wireshark
> refusing to decrypt frames reliably. I recall some older version would
> get stuck and need the key configuration (in preferences window) to be
> re-applied or the decrypt checkbox to be re-checked. YMMV.
>
>
> Michał
More information about the ath10k
mailing list