I'm aware of the rules on 'derivative FreeBSDs' and have tried to get an answer on the pfSense forum here: http://forum.pfsense.org/index.php/topic,60491.0.html. I don't feel like bumping there will be useful as there have been plenty of views, so I'm trying here. Hopefully this is the right subforum.
My version of pfSense is built on FreeBSD 8.1. For the rest I'll just copy the post from the link.
------------
I am attempting to capture 802.11 frames on a small box running Pfsense (No, there's no possibility of using a full size OS). Note that I have some experience with linux, but none with FreeBSD/Pfsense.
I have tried to do the capturing with the following script. The reboot command at the end is needed since I have to SSH to the box using the same Wifi module. (which is in AP mode)
The output was:
So it seems to work, however, the dump file contains only SSH/HTTP/TCP packets and the like. I'm clearly missing something for Pfsense to be able to do this, but I can't google my way out of it.
I found http://sandilands.info/sgordon/capturing-wireless-lan-with-ubuntu-tcpdump-kismet which uses the same approach, except that they disable the WNIC before putting it in monitor mode. I tried this but to no avail. However, they mention something about special wireless drivers to enable the WNIC to support monitoring.. Do I need to install, for example, the madwifi drivers?
PS
The output of [cmd=]ifconfig[/cmd] and [cmd=]pciconf -lv[/cmd] show that ath0_wlan0 is cloned from ath0, don't know whether it is of any importance:
And the specifications of the WNIC
http://www.msdist.co.uk/product_CM9-GP_Atheros_80211a-b-g_miniPCI_wireless_card.php
My version of pfSense is built on FreeBSD 8.1. For the rest I'll just copy the post from the link.
------------
I am attempting to capture 802.11 frames on a small box running Pfsense (No, there's no possibility of using a full size OS). Note that I have some experience with linux, but none with FreeBSD/Pfsense.
I have tried to do the capturing with the following script. The reboot command at the end is needed since I have to SSH to the box using the same Wifi module. (which is in AP mode)
Code:
#!/bin/sh
ifconfig ath0_wlan0
ifconfig ath0_wlan0 monitor
ifconfig ath0_wlan0 #compare status
/usr/sbin/tcpdump -n -e -tttt -vvv -U -i ath0_wlan0 -s 0 -w ath0wlan0.dump &
sleep 20s && pkill -HUP -f /usr/sbin/tcpdump
ifconfig ath0_wlan0 -monitor
ifconfig ath0_wlan0 #compare status
sleep 10
reboot
The output was:
Code:
ath0_wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 90:a4:de:c7:55:57
inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
status: running
ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
scanvalid 60 burst -apbridge dtimperiod 1 -dfs
ath0_wlan0: flags=48943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,MONITOR> metric 0 mtu 1500
ether 90:a4:de:c7:55:57
inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
status: running
ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
scanvalid 60 burst -apbridge dtimperiod 1 -dfs
tcpdump: WARNING: ath0_wlan0: no IPv4 address assigned
tcpdump: listening on ath0_wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
57 packets captured
57 packets received by filter
0 packets dropped by kernel
ath0_wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 90:a4:de:c7:55:57
inet6 fe80::92a4:deff:fec7:5557%ath0_wlan0 prefixlen 64 scopeid 0x9
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
status: running
ssid PfsenseBox channel 8 (2447 MHz 11b) bssid 90:a4:de:c7:55:57
regdomain ETSI country NL ecm authmode OPEN privacy OFF txpower 30
scanvalid 60 burst -apbridge dtimperiod 1 -dfs
So it seems to work, however, the dump file contains only SSH/HTTP/TCP packets and the like. I'm clearly missing something for Pfsense to be able to do this, but I can't google my way out of it.
I found http://sandilands.info/sgordon/capturing-wireless-lan-with-ubuntu-tcpdump-kismet which uses the same approach, except that they disable the WNIC before putting it in monitor mode. I tried this but to no avail. However, they mention something about special wireless drivers to enable the WNIC to support monitoring.. Do I need to install, for example, the madwifi drivers?
PS
The output of [cmd=]ifconfig[/cmd] and [cmd=]pciconf -lv[/cmd] show that ath0_wlan0 is cloned from ath0, don't know whether it is of any importance:
Code:
$ ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
ether 90:a4:de:c7:55:57
media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
status: running[/INDENT]
$ pciconf -lv
ath0@pci0:0:12:0: class=0x020000 card=0x1012185f chip=0x0013168c rev=0x01 hdr=0x00
class = network
subclass = ethernet
And the specifications of the WNIC
http://www.msdist.co.uk/product_CM9-GP_Atheros_80211a-b-g_miniPCI_wireless_card.php