Ubuntu: No /dev/bpf*

[rotsee]

What would be the Linux equivalent of /dev/bpf*? At least on Ubuntu there are no such files

[parkour86]

Having the same issue.

$ sudo chmod o+r /dev/bpf*
chmod: cannot access '/dev/bpf*': No such file or directory

$ ls /dev/b*
/dev/btrfs-control

/dev/block:
1:0   11:0  1:13  1:2  1:5  1:8    7:0  7:3  7:6  8:1   8:32  8:49  8:54
1:1   1:11  1:14  1:3  1:6  1:9    7:1  7:4  7:7  8:16  8:33  8:50  8:55
1:10  1:12  1:15  1:4  1:7  252:0  7:2  7:5  8:0  8:17  8:48  8:53

/dev/bsg:
0:0:0:0  1:0:0:0  2:0:0:0  6:0:0:0  7:0:0:0

/dev/bus:
usb

[kylemcdonald]

A few thoughts. From my experience on OSX the sudo chmod o+r /dev/bpf* is necessary to enable sniffing with tcpdump in monitor mode. On Ubuntu, you might not need to do this, so first try running tcpdump -I -i wlan0 where wlan0 is the name of your wireless interface from ifconfig. If this doesn't work, you might need to give tcpdump more access. Try running with sudo instead: sudo tcpdump -I -i wlan0. If neither of these work, your card may not support monitor mode.

If you need to run tcpdump with sudo, you will also need to run sudo python wifi-users.py (which is just running and filtering tcpdump internally).

I just had a Raspberry Pi plugged in the other day and should have tested this -- please let me know about your progress! Thanks :)

[selva-oscura]

Having the same issue with Ubuntu 16.04.

tcpdump -I -i wlan0 (actually my equivalent) produces

You don't have permission to capture on that device

sudo tcpdump -I -i wlan0 produces

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp2s0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
12:29:58.815520 [|802.11]
12:29:58.951220 [|802.11]
12:29:58.955500 [|802.11]
12:29:58.963502 [|802.11]
12:29:59.052787 [|802.11]
12:29:59.087002 [|802.11]
12:29:59.303516 [|802.11]
12:29:59.554037 [|802.11]
12:29:59.754508 [|802.11]
12:29:59.947502 [|802.11]
12:30:00.087078 [|802.11]
12:30:00.765168 [|802.11]
12:30:00.947531 [|802.11]
12:30:02.088516 [|802.11]
12:30:02.775502 [|802.11]

sudo python wifi-users.py results in

SSID: Cafewifi
No gateway is available: {'default': {}}

Running these also seems to have (temporarily) broken my wifi connection (or perhaps it was just coincidence -- any insights?)
Regardless, to get back online I had to run
sudo service network-manager restart

[kylemcdonald]

Thanks @selva-oscura it sounds like there's no need for anything like sudo chmod o+r /dev/bpf* on Ubuntu, but that tcpdump must be run with sudo (as must wifi-users.py).

Something you can try is commenting out the return right after that "No Gateway" printout, on this line: https://github.com/kylemcdonald/FreeWifi/blob/master/wifi-users.py#L59

The idea is that some packets only say what gateway they are using, not what BSSID they are using, so it's helpful (but possibly not essential) to look for the gateway. If you comment out that line, the script will continue to run, but may not find enough packets. Please let me know how it works for you!

Also: regarding temporarily "breaking" wifi, this has been my experience too, that tcpdump doesn't always clean up nicely after itself, and you might be required to manually reconnect to the network after closing it. sudo service network-manager restart sounds like a good way to do that.

[selva-oscura]

I commented out line 59 (return), added sudo to the tcpdump (cmd) on line 72, and ran with sudo python wifi-users.py
Output:

SSID: anothercoffeeplace
Error getting gateway mac address.
23/1000 █▌ 11:15

Total of 0 user(s)

I wasn't knocked offline this time, but despite a plethora of wifi users around, no joy on getting mac addresses. Any ideas?

[kylemcdonald]

@selva-oscura thanks for sticking with me on this! My first thought is that it's strange to see "23/1000" in the output. It looks like maybe you quit the app early (with CTRL-C) or tcpdump died somehow. In the first case, it's important that you let it sniff for longer. Even if there are a lot of users, we need to see more than 23 packets before getting an idea of who has Internet access. But if tcpdump is quitting, we're going to have to get deeper into this specific location.

One thing you can try is inserting some print statements in the code. I added a few for you in this branch: https://github.com/kylemcdonald/FreeWifi/tree/verbose

Try running with the --verbose flag: sudo python wifi-users.py --verbose and it will tell you more about what it sees. If the information that it outputs isn't helpful you can try adding more print statements, or running the tcpdump command by itself.

To run tcpdump by itself, start by looking at this code 'tcpdump -i {} -Ile -c {}'.format(iface, args.packets).split() which means we want to run a command that looks like this:

$ tcpdump -i wlan0 -Ile -c 1000

Where wlan0 is your wireless interface. You should see packets scrolling by. What we're looking for is:

1. What is the BSSID (MAC address) associated with the SSID you are currently using?
2. What packets do you see that are referencing that BSSID plus another MAC address?

If you see some packets that match what we're looking for, try pasting them here. It might just be that the regular expression I wrote to parse tcpdump doesn't work on the version of tcpdump that you have, and we'll need to prepare a new regex.

[selva-oscura]

Still no luck.

With the new fork, I get
sudo python wifi-users.py

SSID: PBPA_Guest
Error getting gateway mac address. Did you run sudo chmod o+r /dev/bpf*?
23/1000 █▌ 11:17
Total of 0 user(s)

With the original one, I'm getting
sudo python wifi-users.py

SSID: PBPA_Guest
Error getting gateway mac address.
2/1000 ▏ 00:03

Total of 0 user(s)

In none of these cases did I CTRL-C out. The 23 and the 2 (in one case) are how far it went before the program stopped.

My computer doesn't use wlan0. Do I need to edit the file or pass my computer's equivalent?

When I manually run sudo tcpdump -I -i --v wlp2s0, I get

tcpdump: --v: SIOCETHTOOL(ETHTOOL_GET_TS_INFO) ioctl failed: No such device

Without verbose, sudo tcpdump -I -i wlp2s0 yields

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp2s0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
22:42:30.732612 [|802.11]
22:42:30.776786 [|802.11]
22:42:30.982375 [|802.11]
22:42:31.233014 [|802.11]
22:42:31.433697 [|802.11]
22:42:31.619490 [|802.11]
22:42:31.778429 [|802.11]
22:42:32.438570 [|802.11]
22:42:33.779410 [|802.11]
22:42:34.443516 [|802.11]
22:42:35.262584 [|802.11]
22:42:36.259471 [|802.11]
22:42:37.259465 [|802.11]
22:42:37.782319 [|802.11]
22:42:40.267614 [|802.11]
22:42:41.267516 [|802.11]
22:42:42.267459 [|802.11]
22:42:45.272736 [|802.11]
22:42:45.790779 [|802.11]
22:42:46.271468 [|802.11]
tcpdump: pcap_loop: The interface went down
20 packets captured
20 packets received by filter
0 packets dropped by kernel

running sudo tcpdump -i wlp2s0 -Ile -c 1000 produced

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp2s0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
22:44:52.980817 [|802.11]
22:44:53.075495 [|802.11]
22:44:53.135518 [|802.11]
22:44:53.386337 [|802.11]
22:44:53.637125 [|802.11]
22:44:53.837783 [|802.11]
22:44:53.867435 [|802.11]
22:44:53.879492 [|802.11]
22:44:53.981222 [|802.11]
22:44:54.879510 [|802.11]
22:44:55.043409 [|802.11]
22:44:55.981718 [|802.11]
22:44:57.250570 [|802.11]
22:44:57.886191 [|802.11]
22:44:58.883507 [|802.11]
22:44:59.883448 [|802.11]
22:44:59.983791 [|802.11]
22:45:02.887689 [|802.11]
22:45:03.887489 [|802.11]
22:45:04.887445 [|802.11]
22:45:07.891991 [|802.11]
22:45:07.992225 [|802.11]
tcpdump: pcap_loop: The interface went down
22 packets captured
22 packets received by filter
0 packets dropped by kernel

While I saw my MAC address when I checked ifconfig, I'm not seeing any as output..... Although as someone who hasn't really dug into this before, I'll grant that I'm not nearly as clear on all of this as I'd like to be (mentally adding another item to the very long list of things I want to learn).

On this particular wifi network (and not the two previous), I noticed being disconnected from the network and getting the message:

“Network service discovery disabled. Your current network has a .local domain, which is not recommended and incompatible with the Avahi network service discovery. The service has been disabled.”

Any thoughts?

And thank you.

[kylemcdonald]

Ok, I think we're a lot closer to discovering the problem. But the solution might require some additional work. I ran the script on a Raspberry Pi to verify that it generally works, and there were a few real changes I had to make. I've pushed those changes to master, so grab the new code when you get a chance. But let's walk through what you've found.

One of the commands you wrote isn't going to work as you'd expect: sudo tcpdump -I -i --v wlp2s0 Because the -i is supposed to be immediately followed by the interface name, and the --v prints out the version number. -v (single dash) prints verbose info. So the command should look like sudo tcpdump -I -i wlp2s0 -v

All the output you've posted so far includes [|802.11] instead of showing any real, useful info. According to man tcpdump:

-s snaplen
--snapshot-length=snaplen
  Snarf snaplen bytes of data from each packet rather than the default of 262144
  bytes.  Packets truncated because of a limited snapshot are indicated  in  the
  output  with  ``[|proto]'',  where  proto is the name of the protocol level at
  which the truncation has occurred.  Note that  taking  larger  snapshots  both
  increases  the  amount  of  time it takes to process packets and, effectively,
  decreases the amount of packet buffering.  This may cause packets to be  lost.
  You should limit snaplen to the smallest number that will capture the protocol
  information you're interested in.  Setting snaplen to 0 sets it to the default
  of 262144, for backwards compatibility with recent older versions of tcpdump.

So it sounds like by default your version of tcpdump is only capturing the first few bytes of the packet. We can change this by adding -s 0 to the command: sudo tcpdump -I -i wlp2s0 -v -s 0. I added -s 0 to the command inside wifi-users.py which should get it closer to working better for you.

Note: before posting any of the output of tcpdump publicly, be aware that people may be able to use that information to figure out approximately where you are located by cross-referencing the wireless network names against databases like wigle.

Regarding the gateway being unavailable, I changed the logic for how that is done, so it might also work for you now. The script should do a better job of detecting the wireless interface automatically too, and if it doesn't select the right one you can set it manually with sudo wifi-users.py -i wlp2s0.

Finally, it looks like your tcpdump is quitting in the middle of running. This is where it gets a little more complicated. Usually when you want to run an interface in monitor mode it just works, but sometimes other background processes can interrupt and cause tcpdump to quit. One way around this is to use another tool called aircrack-ng to detect which processes might be interrupting your sniffing, and kill them. First install aircrack-ng, then run the command sudo airmon-ng check kill. Then try running tcpdump or wifi-users.py again. It should get to 1000 packets.

If you still get 0 results, there's a chance that there is way more management traffic than data traffic in your area, and you need to increase the number of packets you are watching for with sudo wifi-users.py -p 10000.

Good luck :)

[MrTavus]

Hi. I tried all your advices but i don't still get any user on network. I get "Sniffing finished early." error. The internet connection is interrupted when i run "sudo python wifi-users.py" command. I think i get this error because of interruption. How can i pass this problem?

[selva-oscura]

Thank you for your persistence.
I downloaded the most recent version of the repo, downloaded aircrack-ng, downloaded the libs needed for it, ran make and make install, and ran sudo airmon-ng check kill
That last one evidently resulted in my wifi being turned off because
sudo python wifi-users.py -i wlp2s0 outputting

Exception: Unable to auto-detect the network interface

after running sudo service network-manager restart,
sudo python wifi-users.py -i wlp2s0 resulted in nothing sniffed and early quitting

Even running with 10,000 => no luck
sudo python wifi-users.py -i wlp2s0 -p 10000

Interface: wlp2s0
SSID: blahblahblahcoffee
Available gateways: wlp2s0
Gateway IP: [redacted]
Gateway MAC: [redacted]
15/10000 2:54:23
Sniffing finished early.
Total of 0 user(s)

One thing of note, there were Gateway IP and MAC addresses showing after the available gateways bit, though a quick perusal of your new code makes me think that that is apparently due to a change in your code rather than a change in what is being detected.

---

Poking around the code, I removed the -I from cmd, and it ceased to finish early.
Also, I printed out line
I took

   progress = tqdm(run_process(cmd),
                   total=args.packets,
                   bar_format=bar_format)
   for line in progress:
       line = line.decode('utf-8')

and added

       eprint('Line: {}'.format(line))

There definitely is data passing through, but I grant I don't really know what to make of it it. Two examples below (the specific numbers have been a bit scrambled ):

Line: 17:44:25.785622 00:18:1a:1c:18:a2 (oui Unknown) > 34:ed:0a:79:9a:6c (oui Unknown), ethertype IPv4 (0x0800), length 146: 10.128.128.128.domain > 10.85.202.12.35259: 34948 NXDomain* 0/1/0 (104)

Line: 17:44:25.987503 34:ed:1c:1a:9a:6c (oui Unknown) > 00:18:1a:1c:18:a2 (oui Unknown), ethertype IPv4 (0x0800), length 66: 10.58.220.12.56162 > 104.224.24.1.https: Flags [.], ack 4113127238, win 1438, options [nop,nop,TS val 4313537 ecr 1751003598], length 0

[kylemcdonald]

@selva-oscura ok! i think we're making progress :)

it looks like airmon-ng didn't help very much.

the -I flag is for enabling monitor mode. if you remove -I then your wireless interface is not listening to ambient wireless data any, just your own personal wireless data.

my suspicion is that you have a different version of tcpdump, and that it has a different format for the output compared to my version. could you run the follow: tcpdump --version ? for me, i see:

tcpdump version 4.7.3 -- Apple version 67
libpcap version 1.5.3 - Apple version 54

the first thing my code looks for is the beacon frames from the wireless AP, to figure out what the wireless AP's MAC address is. i'm guessing that this part should probably work:

if ssid in line:
    bssid_matches = bssid_re.search(line)
    if bssid_matches:
        bssid = bssid_matches.group(1)
        if 'Broadcast' not in bssid:
            network_macs.add(EUI(bssid))

i would try modifying it to print out three helpful things, to check if it's properly extracting the MAC address from that line:

if ssid in line:
    print('Found a line that includes the SSID {}: {}'.format(ssid, line)) # 1
    bssid_matches = bssid_re.search(line)
    if bssid_matches:
        bssid = bssid_matches.group(1)
        if 'Broadcast' not in bssid:
            network_macs.add(EUI(bssid))
        print('Beacon MAC address found: {}'.format(bssid)) # 2
    else:
        print('Beacon MAC address not found.') # 3

i think this part is probably working. then we want to get deeper. let's take this part:

if length_match:
    length = int(length_match.group(1))
    mac_matches = tcpdump_mac_re.findall(line)
    if mac_matches:
        macs = set([EUI(match[1]) for match in mac_matches])
        leftover = macs - network_macs
        if len(leftover) < len(macs):
            for mac in leftover:
                data_totals[mac] += length
                client_macs.add(mac)

and add five lines:

if length_match:
    print('Found a line that includes the word "length": {}'.format(line)) # 1
    length = int(length_match.group(1))
    mac_matches = tcpdump_mac_re.findall(line)
    if mac_matches:
        print('Data MAC addresses found:') # 2
        macs = set([EUI(match[1]) for match in mac_matches])
        for mac in macs: # 3
            print('- {}'.format(mac)) # 4
        leftover = macs - network_macs
        if len(leftover) < len(macs):
            for mac in leftover:
                data_totals[mac] += length
                client_macs.add(mac)
    else:
        print('Data MAC addresses not found.') # 5

if you are getting lots of Beacon MAC address not found. or Data MAC address not found. then we probably have a tcpdump version mismatch, and your version of tcpdump is printing out data in a different format than mine.

[selva-oscura]

tcpdump --version yields

tcpdump version 4.9.0
libpcap version 1.7.4
OpenSSL 1.0.2g 1 Mar 2016
BTW, OS is Ubuntu 16.04.1

I cloned the current version of the repo, made the recommended changes, ran sudo python wifi-users.py -i wlp2s0, and got (give or take a little editing)

Interface: wlp2s0
SSID: coffeeshopTheFullHorror
Available gateways: wlp2s0
Gateway IP: [redacted]
Gateway MAC: [redacted]
23/1000 █▌ 11:09
Sniffing finished early.
Total of 0 user(s)

My wifi did reset (disconnect and reconnect) after running this.