Promiscuous Mode

[Nickelme]

I was playing around with promiscuous mode and i noticed that the packets that are give to the callback are much larger than than they should be considering they were only beacon packets and wifi adapter on my laptop showed them as only 255 bytes while the esp32 returned that they were 528 bytes. After dumping the packets to serial i found the 802.11 header but i was curious what they bytes around it meant and if they are useful in anyway or just complete garbage (I'm assuming they aren't).

[brainstorm]

Would you mind sharing the code you used to perform those tests and/or some resulting .pcap files?

EDIT: Oh well, I will:

Screen Shot 2016-12-13 at 10.01.14.png (92.56 KiB) Viewed 28476 times

Trying to figure out those bytes against net80211 structures and what I have in reality for a given SSID (channel, IE, etc...). I wish it was clearer in the docs what bytes are what.

Here's the hex output shown above, just in case someone wants to dissect this along (hint: the SSID is `35f4e6` as shown in the screenshot above):

00AA002000920080000000000000000000000000000100B4004C000500030000009E003F00A3003F0000000000F000210092002000090000008000000000000000FF00FF00FF00FF00FF00FF00E000CB004E006A00F9003000E000CB004E006A00F90030000000D8009D00D20086000500280008000000000064000000110004000000060033003500660034006500360001000400820084008B0096000300010001000500040000000100000000002A00010000002F0001000000320008000C001200180024003000480060006C00DD00090000001000180002000600F000040000000000DD001C0000005000F20001000100000000005000F20002000200000000005000F200040000005000F20002000100000000005000F20002000C000000DD00180000005000F200020001000100800000000300A400000000002700A40000000000420043005E000000620032002F00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000920000

[brainstorm]

To be continued over github: https://gist.github.com/brainstorm/24e8 ... 7c5b43a02c

[Nickelme]

Yea, Well you beat me to the post but if you look inside you get the 80211 header in there. Wireshark hex dump on my laptop vs Hex dump from the ESP32 shows that after a few bytes they match up if you remove the radio tap header from the Wireshark.

ESP32
dc20f180000000000000068529f74000a83fa83f00003070f1100f0080000000ffffffffffffd850e6cd93b0d850e6cd93b030df9bf10e316b00000064001104000547756d6279010882848b962430486c0301060504010300002a01042f010430140100000fac040100000fac040100000fac020c0032040c1218602d1aff1917ffffff00010000000000000000000000000000000000003d16060f16000000000000000000000000000000000000004a0e14000a002c01c8001400050019007f080100000000000040dd180050f204104a00011010440001021049000600372a000120dd090010180208001c0000dd180050f2020101840003a4000027a4000042435e0062322f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100f100


WireShark
000012002e48000000028509a000eb01000080000000ffffffffffffd850e6cd93b0d850e6cd93b0104989a11e126b00000064001104000547756d6279010882848b962430486c0301060504000301002a01042f010430140100000fac040100000fac040100000fac020c0032040c1218602d1aff1917ffffff00010000000000000000000000000000000000003d16060f16000000000000000000000000000000000000004a0e14000a002c01c8001400050019007f080100000000000040dd180050f204104a00011010440001021049000600372a000120dd090010180208001c0000dd180050f2020101840003a4000027a4000042435e0062322f00

I've highlighted where the 80211 packet begins and where it ends in both. That was just a beacon packet from my router. The blue is the RadioTap Header and the green is what I'm trying to find out. I have a pretty strong feeling it holds information similar to the RadioTap header such as Data Rate, Channel, Signal Strength. Any Advice on where to start is welcome. Also any programs that i can use to fake 802.11 packets so that I can get somewhat consistent results is welcome.

[brainstorm]

Cool! Thanks for the reply/highlighting... I've been comparing those with this (higher level?) pullrequest:

https://github.com/espressif/esp-idf/pull/70/files

What I was gonna try next is filter by (B)SSID/MAC in the promiscuous callback itself (strcmp), therefore only printing a single repeating packet/beacon and see how those bytes change over time... that way at least the RSSI could be relatively easy to spot.

Are you keeping the code somewhere? Happy to jump into a common codebase it if you don't mind, that way we could get this thing faster.

Cheers!

[Nickelme]

I don't have a code base right now but if you want to start one i'd be more than happy to try and contribute to it. Sounds like you have more work into this anyways.

[brainstorm]

For starters I see that your dump starts with `DC` while mine go from `Ax` to `Dx` on offset 0x0... over several runs of promiscuous mode in different times:

Code: Select all

000000  AD 20 36 81 00 00 00
000000  A9 20 2B 81 00 00 00
000000  D6 20 05 81 00 00 00
000000  C9 20 9D 80 00 00 00
000000  A8 20 62 81 00 00 00
000000  A9 20 30 81 00 00 00
000000  AA 20 30 81 00 00 00
000000  AE 20 16 81 00 00 00
000000  C8 20 C6 80 00 00 00
000000  CB 20 30 81 00 00 00
000000  A8 20 30 81 00 00 00
000000  AF 20 30 81 00 00 00
000000  AB 20 36 81 00 00 00
000000  A6 20 2B 81 00 00 00
000000  D6 20 05 81 00 00 00
000000  A9 20 2B 81 00 00 00
000000  A9 20 30 81 00 00 00
000000  C1 20 9D 80 00 00 00

That first byte is followed by `20` (space) and then a variable (to be determined)... then 80 or 81 in the fourth column.

[Nickelme]

Try to see if the first byte might be RSSI as a signed byte, Just a guess. I would try myself but dont currently have my ESP32 Thing with me.

[Nickelme]

Just tried running the first byte as RSSI using the code below. Assuming my phone (Droid Turbo 1) has a similar antenna, It would seem that the first byte is RSSI.

Code: Select all

void promiscuousCallBack(void *buff, uint16_t len){
	printf("%d", ((signed char)((char*)buff)[0]));
	printf("\n");
}

[ESP_Angus]

You are correct that the first byte is RSSI as a signed byte.

We're going to be publishing the details of this radiotap header in esp-idf soon, will let you know when it's available.