Promiscuous Mode
Promiscuous Mode
I was playing around with promiscuous mode and i noticed that the packets that are give to the callback are much larger than than they should be considering they were only beacon packets and wifi adapter on my laptop showed them as only 255 bytes while the esp32 returned that they were 528 bytes. After dumping the packets to serial i found the 802.11 header but i was curious what they bytes around it meant and if they are useful in anyway or just complete garbage (I'm assuming they aren't).
-
- Posts: 27
- Joined: Mon Dec 12, 2016 12:22 pm
Re: Promiscuous Mode
Would you mind sharing the code you used to perform those tests and/or some resulting .pcap files?
EDIT: Oh well, I will:
Trying to figure out those bytes against net80211 structures and what I have in reality for a given SSID (channel, IE, etc...). I wish it was clearer in the docs what bytes are what.
Here's the hex output shown above, just in case someone wants to dissect this along (hint: the SSID is `35f4e6` as shown in the screenshot above):
00AA002000920080000000000000000000000000000100B4004C000500030000009E003F00A3003F0000000000F000210092002000090000008000000000000000FF00FF00FF00FF00FF00FF00E000CB004E006A00F9003000E000CB004E006A00F90030000000D8009D00D20086000500280008000000000064000000110004000000060033003500660034006500360001000400820084008B0096000300010001000500040000000100000000002A00010000002F0001000000320008000C001200180024003000480060006C00DD00090000001000180002000600F000040000000000DD001C0000005000F20001000100000000005000F20002000200000000005000F200040000005000F20002000100000000005000F20002000C000000DD00180000005000F200020001000100800000000300A400000000002700A40000000000420043005E000000620032002F00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000920000
EDIT: Oh well, I will:
Trying to figure out those bytes against net80211 structures and what I have in reality for a given SSID (channel, IE, etc...). I wish it was clearer in the docs what bytes are what.
Here's the hex output shown above, just in case someone wants to dissect this along (hint: the SSID is `35f4e6` as shown in the screenshot above):
00AA002000920080000000000000000000000000000100B4004C000500030000009E003F00A3003F0000000000F000210092002000090000008000000000000000FF00FF00FF00FF00FF00FF00E000CB004E006A00F9003000E000CB004E006A00F90030000000D8009D00D20086000500280008000000000064000000110004000000060033003500660034006500360001000400820084008B0096000300010001000500040000000100000000002A00010000002F0001000000320008000C001200180024003000480060006C00DD00090000001000180002000600F000040000000000DD001C0000005000F20001000100000000005000F20002000200000000005000F200040000005000F20002000100000000005000F20002000C000000DD00180000005000F200020001000100800000000300A400000000002700A40000000000420043005E000000620032002F00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000920000
-
- Posts: 27
- Joined: Mon Dec 12, 2016 12:22 pm
Re: Promiscuous Mode
To be continued over github: https://gist.github.com/brainstorm/24e8 ... 7c5b43a02c
Re: Promiscuous Mode
Yea, Well you beat me to the post but if you look inside you get the 80211 header in there. Wireshark hex dump on my laptop vs Hex dump from the ESP32 shows that after a few bytes they match up if you remove the radio tap header from the Wireshark.
ESP32
dc20f180000000000000068529f74000a83fa83f00003070f1100f0080000000ffffffffffffd850e6cd93b0d850e6cd93b030df9bf10e316b00000064001104000547756d6279010882848b962430486c0301060504010300002a01042f010430140100000fac040100000fac040100000fac020c0032040c1218602d1aff1917ffffff00010000000000000000000000000000000000003d16060f16000000000000000000000000000000000000004a0e14000a002c01c8001400050019007f080100000000000040dd180050f204104a00011010440001021049000600372a000120dd090010180208001c0000dd180050f2020101840003a4000027a4000042435e0062322f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100f100
WireShark
000012002e48000000028509a000eb01000080000000ffffffffffffd850e6cd93b0d850e6cd93b0104989a11e126b00000064001104000547756d6279010882848b962430486c0301060504000301002a01042f010430140100000fac040100000fac040100000fac020c0032040c1218602d1aff1917ffffff00010000000000000000000000000000000000003d16060f16000000000000000000000000000000000000004a0e14000a002c01c8001400050019007f080100000000000040dd180050f204104a00011010440001021049000600372a000120dd090010180208001c0000dd180050f2020101840003a4000027a4000042435e0062322f00
I've highlighted where the 80211 packet begins and where it ends in both. That was just a beacon packet from my router. The blue is the RadioTap Header and the green is what I'm trying to find out. I have a pretty strong feeling it holds information similar to the RadioTap header such as Data Rate, Channel, Signal Strength. Any Advice on where to start is welcome. Also any programs that i can use to fake 802.11 packets so that I can get somewhat consistent results is welcome.
ESP32
dc20f180000000000000068529f74000a83fa83f00003070f1100f0080000000ffffffffffffd850e6cd93b0d850e6cd93b030df9bf10e316b00000064001104000547756d6279010882848b962430486c0301060504010300002a01042f010430140100000fac040100000fac040100000fac020c0032040c1218602d1aff1917ffffff00010000000000000000000000000000000000003d16060f16000000000000000000000000000000000000004a0e14000a002c01c8001400050019007f080100000000000040dd180050f204104a00011010440001021049000600372a000120dd090010180208001c0000dd180050f2020101840003a4000027a4000042435e0062322f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100f100
WireShark
000012002e48000000028509a000eb01000080000000ffffffffffffd850e6cd93b0d850e6cd93b0104989a11e126b00000064001104000547756d6279010882848b962430486c0301060504000301002a01042f010430140100000fac040100000fac040100000fac020c0032040c1218602d1aff1917ffffff00010000000000000000000000000000000000003d16060f16000000000000000000000000000000000000004a0e14000a002c01c8001400050019007f080100000000000040dd180050f204104a00011010440001021049000600372a000120dd090010180208001c0000dd180050f2020101840003a4000027a4000042435e0062322f00
I've highlighted where the 80211 packet begins and where it ends in both. That was just a beacon packet from my router. The blue is the RadioTap Header and the green is what I'm trying to find out. I have a pretty strong feeling it holds information similar to the RadioTap header such as Data Rate, Channel, Signal Strength. Any Advice on where to start is welcome. Also any programs that i can use to fake 802.11 packets so that I can get somewhat consistent results is welcome.
-
- Posts: 27
- Joined: Mon Dec 12, 2016 12:22 pm
Re: Promiscuous Mode
Cool! Thanks for the reply/highlighting... I've been comparing those with this (higher level?) pullrequest:
https://github.com/espressif/esp-idf/pull/70/files
What I was gonna try next is filter by (B)SSID/MAC in the promiscuous callback itself (strcmp), therefore only printing a single repeating packet/beacon and see how those bytes change over time... that way at least the RSSI could be relatively easy to spot.
Are you keeping the code somewhere? Happy to jump into a common codebase it if you don't mind, that way we could get this thing faster.
Cheers!
https://github.com/espressif/esp-idf/pull/70/files
What I was gonna try next is filter by (B)SSID/MAC in the promiscuous callback itself (strcmp), therefore only printing a single repeating packet/beacon and see how those bytes change over time... that way at least the RSSI could be relatively easy to spot.
Are you keeping the code somewhere? Happy to jump into a common codebase it if you don't mind, that way we could get this thing faster.
Cheers!
Re: Promiscuous Mode
I don't have a code base right now but if you want to start one i'd be more than happy to try and contribute to it. Sounds like you have more work into this anyways.
-
- Posts: 27
- Joined: Mon Dec 12, 2016 12:22 pm
Re: Promiscuous Mode
For starters I see that your dump starts with `DC` while mine go from `Ax` to `Dx` on offset 0x0... over several runs of promiscuous mode in different times:
That first byte is followed by `20` (space) and then a variable (to be determined)... then 80 or 81 in the fourth column.
Code: Select all
000000 AD 20 36 81 00 00 00
000000 A9 20 2B 81 00 00 00
000000 D6 20 05 81 00 00 00
000000 C9 20 9D 80 00 00 00
000000 A8 20 62 81 00 00 00
000000 A9 20 30 81 00 00 00
000000 AA 20 30 81 00 00 00
000000 AE 20 16 81 00 00 00
000000 C8 20 C6 80 00 00 00
000000 CB 20 30 81 00 00 00
000000 A8 20 30 81 00 00 00
000000 AF 20 30 81 00 00 00
000000 AB 20 36 81 00 00 00
000000 A6 20 2B 81 00 00 00
000000 D6 20 05 81 00 00 00
000000 A9 20 2B 81 00 00 00
000000 A9 20 30 81 00 00 00
000000 C1 20 9D 80 00 00 00
Re: Promiscuous Mode
Try to see if the first byte might be RSSI as a signed byte, Just a guess. I would try myself but dont currently have my ESP32 Thing with me.
Re: Promiscuous Mode
Just tried running the first byte as RSSI using the code below. Assuming my phone (Droid Turbo 1) has a similar antenna, It would seem that the first byte is RSSI.
Code: Select all
void promiscuousCallBack(void *buff, uint16_t len){
printf("%d", ((signed char)((char*)buff)[0]));
printf("\n");
}
Re: Promiscuous Mode
You are correct that the first byte is RSSI as a signed byte.
We're going to be publishing the details of this radiotap header in esp-idf soon, will let you know when it's available.
We're going to be publishing the details of this radiotap header in esp-idf soon, will let you know when it's available.
Who is online
Users browsing this forum: No registered users and 95 guests