Not remove interface when wpa_supplicant shuts down

Panagiotis Georgopoulos panos
Thu Jun 10 10:59:57 PDT 2010


Hello Jouni,

	Please see bellow...

> On Tue, Jun 08, 2010 at 12:05:08PM +0100, Panagiotis Georgopoulos
> wrote:
> > 	On a related note, why when I run hostapd, it creates a mon.wlan1
> > interface in addition to wlan1? I see something like the following
> > when I run hostapd :
> 
> mon.wlan# is used to receive and send various management frames (and
> EAPOL frames) in AP mode.
> 
> > 	This again creates many problems in the debugging because each
> > handler interface sees a subset of the traffic that AP experiences
> and it is
> > very difficult to debug this.. (For more information on this please
> see my
> > previous message on the list :
> > http://lists.shmoo.com/pipermail/hostap/2010-June/021487.html )
> 
> If you want to receive more frames, you better add your own monitor
> interface and not use something created by hostapd because you have
> different needs for the interface. Just do something like "iw dev wlan0
> interface add mon0 type monitor; ifconfig mon0 up" and use mon0 with
> the
> sniffer.
> 

What type of interface would you suggest me to create though? If I create
another monitoring interface it *does not* capture all the traffic that the
AP is seeing :-( 

Unless I am missing some iw parameters... (I am afraid that the iw tool is
very poorly documented)

It seems that the monitoring interface (mon.wlan1) that hostapd creates,
presents to wireshark just a subset of the traffic that the AP is sending
and receiving (it mostly sees packets that the AP sends, not receives).  You
might expect this to be normal, however neither the initial AP interface
(wlan1) is presenting all the packets the AP is sending and receiving to
Wireshark, thus making this extremely difficult to debug.

To make things worse, mon.wlan1 seems to be presenting the packets to
Wireshark in a "low level" format, so they are split it multiple rows, which
makes things even more difficult to debug...

For example, in a refreshing keys event, I see in mon.wlan1 two IEEE 802.11
packets that are send from the AP to the client (which on the client seems
as one EAPOL KEY packet from the AP), and I see the reply from the client to
the AP only in wlan1 interface appearing as EAPOL KEY packet.

So a) why do I get 2 packets in mon.wlan1 that I should be seeing as one and
in fact on the wlan1 interface?
   b) how do I create one interface that sees *all* the traffic that the AP
sees? It seems that the monitoring interface that hostapd creates
(mon.wlan1) "steals" some of the traffic that wlan1 should be seeing and to
make things worse, it shows this in a "low level" format, i.e. split in many
fragments (rows in Wireshark).

(I hope I didn't confuse you more)

Any ideas?

Thanks a lot in advance,
Panos






More information about the Hostap mailing list