Monitor mode - suggestions

[gpotter2]

Hi !

Very nice project, a few remarks:

• on OSX, our latest versions auto-start monitor mode using a trick used in tcpdump https://github.com/secdev/scapy/blob/master/scapy/arch/bpf/supersocket.py
  You need to check what I say, but monitor=True should be enough on OSX, so you don’t have to use your dirty tricks

• There are some useful functions, such as

>>> get_if_list()
['tun0', 'enp0s3', 'lo']

, or consts

scapy.consts.DARWIN
scapy.consts.LINUX

to help you reduce your metrics.

We should be merging soon the RadioTap dbm fix, sorry for the wait

[calebmadrigal]

Hey @gpotter2, thanks for the suggestions! Ya, definitely looking forward to that RadioTap fix.

So about the OSX monitor mode, I'm glad you brought that up. I've tried the monitor=True, and it works well. But there is one problem (for my uses) - while it does put the interface in monitor mode, it doesn't fully disable managed mode, so I can't switch channels. This can be seen using the airport command like this:

In one terminal:

>>> import scapy.all as scapy
>>> scapy.sniff(iface='en0', prn=lambda p: p.summary(), monitor=True)

In another terminal (after running the above):

$ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I
     agrCtlRSSI: -62
     agrExtRSSI: 0
    agrCtlNoise: -93
    agrExtNoise: 0
          state: running
        op mode: station monitor
     lastTxRate: 216
        maxRate: 400
lastAssocStatus: 0
    802.11 auth: open
      link auth: none
          BSSID: 82:2a:a8:55:71:15
           SSID: colectivo
            MCS: 5
        channel: 157,1

As you can see, the op mode is station monitor. And when I try switching to a different channel, it doesn't work:

bash-4.4# /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=6
bash-4.4# /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I
     agrCtlRSSI: -62
     agrExtRSSI: 0
    agrCtlNoise: -93
    agrExtNoise: 0
          state: running
        op mode: station monitor
     lastTxRate: 135
        maxRate: 400
lastAssocStatus: 0
    802.11 auth: open
      link auth: none
          BSSID: 82:2a:a8:55:71:15
           SSID: colectivo
            MCS: 7
        channel: 157,1

However, when I do that horribly dirty hack (running /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport sniff en0), it completely disables station mode, and allows me to switch channels. You can notice below, that the op mode is just monitor below (after running this airport sniff en0 1 command):

bash-4.4# /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=6
bash-4.4# /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I
     agrCtlRSSI: 0
     agrExtRSSI: 0
    agrCtlNoise: 0
    agrExtNoise: 0
          state: init
        op mode: monitor
     lastTxRate: 0
        maxRate: 0
lastAssocStatus: 65535
    802.11 auth: open
      link auth: none
          BSSID: 0:0:0:0:0:0
           SSID:
            MCS: -1
        channel: 6

And, as you can see, channel switching works.

I haven't had time yet to try to determine what the airport command is doing different to fully disable station (managed) mode. If you have any ideas, let me know. If I find anything interesting, I'll definitely share it with you guys - could be a nice little enhancement to scapy. I'm not sure about other use cases, but I think others might benefit from being in fully non-managed mode when sniffing in monitor mode.

Btw, I appreciate all your work on scapy - it's one of my favorite libraries.

[gpotter2]

Hi !

It would be great if you could submit an issue for the “managed monitor mode issue”, on the scapy issues page

I can’t guarantee you that we’ll find a fix, as I’m not the OSX expert of scapy, but it’s definatly a bug that should be reported...

[gpotter2]

@calebmadrigal Hi, we just released 2.4.2.

It sadly doesn’t have any monitor mode fixes, but it will break the ‘notdecoded’ hack, as the field will now be populated.

[gpotter2]

guedou commented about 1 hour ago
Sorry for the looong delay. I do not boot macOS often ...

This behavior is expected that the station monitor mode is used to sniff raw 802.11 frames. Sniffing with tcpdump -I does exactly the same. When sniff() stops the mode goes back station.