Using ath10k for WiFi capturing non-11ac traffic

Amato Carbonara acarbonara13 at gmail.com
Wed Apr 15 07:28:35 PDT 2015


Hi Ben,
  I have done numerous captures using the ath10k driver on different
802.11 variant networks, specifically 802.11n (20MHz and 40MHz) and
802.11ac.  In all these captures, I have captured the Block-Ack frames
(Wireshark filter wlan.fc.type_subtype == 0x0019), but do not see any
Block-ACK Request or Response frames.  In fact, none of my captures
using the ath10k drivers show any Action frames (Wireshark filter
wlan.fc.type_subtype == 0x000d).  This is very peculiar since the IEEE
specification 802.11-2012 section 9.21.2 states: "If the intended
recipient STA is capable of participating, the originator sends an
ADDBA Request frame".  Therefor, the ADDBA must be sent in order for
Block-Acks to occur.  I have also noticed missing Association Response
frames from the STA.

Currently, I am using firmware 10.1.467.2-1 to perform my captures.

Has anyone else tried using a different firmware version, for example
10.2.4, to perform WiFi captures?

On Tue, Apr 14, 2015 at 8:19 PM, Ben Greear <greearb at candelatech.com> wrote:
> Out of curiosity, have you been able to capture Action frames (specifically,
> block-ack add/del frames) with ath10k?  I just wasted a large amount of time wondering
> why the frames are not seen...but ath9k monitor port sees them just fine.
>
> Thanks,
> Ben
>
>
> On 04/14/2015 11:04 AM, Amato Carbonara wrote:
>> Hello Michal,
>>   I was able to decrypt all traffic types (11a, 11n at 20MHz, 11n at
>> 40MHz and 11ac at 80MHz) using the 10.1.467.2-1 firmware on the
>> QCA9880 chipset.  The problem was not with Wireshark.  I had to
>> install backports for the at10k drivers to make it work.  Procedures
>> are documented here:
>> https://wireless.wiki.kernel.org/en/users/Drivers/ath10k/backports
>>
>> Thank you for your help,
>> Amato
>>
>> On Tue, Apr 14, 2015 at 1:38 AM, Michal Kazior <michal.kazior at tieto.com> wrote:
>>> On 6 April 2015 at 21:49, Amato Carbonara <acarbonara13 at gmail.com> wrote:
>>>> Hello,
>>>>   I have installed a WiFi adapter with the Qualcomm-Atheros QCA-9880
>>>> chipset using the at10k drivers.  I am using this WiFi adapter to
>>>> capture WLAN traffic.  The recommended firmware for capturing WiFi
>>>> traffic is 10.1.467.2-1 per the website.  See following link:
>>>> https://wireless.wiki.kernel.org/en/users/drivers/ath10k/monitor
>>>
>>> Generally the 10.x line is preferred for sniffing. You could also try 10.2.4.
>>>
>>>
>>>> I have successfully installed the above firmware and have been using
>>>> the adapter/driver to capture and decrypt all 802.11ac traffic.
>>>> However, I have noticed some strange behavior when trying to decrypt
>>>> other types of traffic such as:
>>>>   1) 802.11a = not able to decrypt any traffic
>>>>   2) 802.11n at 20MHz = able to decrypt only partial traffic
>>>>   3) 802.11n at 40MHz = able to decrypt only partial traffic
>>>>
>>>> I have tried using the different "iw" and "iwconfig" commands to set
>>>> the frequency and channel bandwidth (for example, iw dev wlan1 set
>>>> freq 5180 HT20).  Has anyone else seen this issue of not being able to
>>>> decrypt all/some of the WiFi traffic?
>>>
>>> `iwconfig` is an old program. You shouldn't use it. Just stick with `iw`.
>>>
>>> To decrypt traffic you need to see keying handshake (both after
>>> association and later for each rekeying). If sniffer misses that you
>>> won't be able to decipher data either from the start or you'll stop
>>> being able to decrypt multicast data after GTK rekeying.
>>>
>>> Another thing is I've had numerous random problems with wireshark
>>> refusing to decrypt frames reliably. I recall some older version would
>>> get stuck and need the key configuration (in preferences window) to be
>>> re-applied or the decrypt checkbox to be re-checked. YMMV.
>>>
>>>
>>> Michał
>>
>> _______________________________________________
>> ath10k mailing list
>> ath10k at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/ath10k
>>
>
>
> --
> Ben Greear <greearb at candelatech.com>
> Candela Technologies Inc  http://www.candelatech.com
>



More information about the ath10k mailing list