Saturday, January 29, 2022

WiFi 6E Packet Capture

I wanted to use the Intel AX210 WiFi-6E adapter that supports the new 6GHz channels to capture traffic once I was able to setup communications between an Extreme AP4000u AP and a Windows 11 PC with the same Intel AX210 adapter. I could tell the Windows system was using 6GHz channels via netsh commands, but wanted to check the traffic via monitor mode.

My Linux capture platform is

    user@system:~$ cat /etc/debian_version
    11.1


running kernel

user@system:~$ uname -a
Linux system 5.14.0-0.bpo.2-amd64 #1 SMP Debian 5.14.9-2~bpo11+1 (2021-10-10) x86_64 GNU/Linux

which is a Debian 11 backports kernel.  The adapters on this system include:

user@system:~$ sudo interfaces.sh
Ndx Iface  Phy  Driver    Mode    Up? Channel      Width Center   Packets
0   wlan1  phy3 rt2800usb monitor Y    1 (2412MHz) 20MHz 2412 MHz 1298
1   wlan6  phy2 rt2800usb monitor Y    6 (2437MHz) 20MHz 2437 MHz 1407
2   wlan11 phy4 rt2800usb monitor Y   11 (2462MHz) 20MHz 2462 MHz 3462
3   wlancu phy1 mt76x2u   managed N                                  0
4   wlp1s0 phy0 iwlwifi   managed Y   36 (5180MHz) 80MHz 5210 MHz 2270


The AX210 wireless adapter is phy0 here and shows up in lspci as:

    01:00.0 Network controller: Intel Corporation Device 2725 (rev 1a)

with capabilities:
user@system:~$ iw phy phy0 info
    <cut>
        Frequencies:
            * 5955 MHz [1] (disabled)
            * 5975 MHz [5] (disabled)
            * 5995 MHz [9] (disabled)
            * 6015 MHz [13] (disabled)
            * 6035 MHz [17] (disabled)
            <cut>


Notice that the 6GHz channels are all ‘disabled’?  That doesn’t bode well for trying to capture on these channels.

This is what I had to go through to get the adapter to correctly assess that it was in an FCC region, and that it could actually use these 6GHz channels. Though the regulatory domain is correct for the system, it does not much matter when the adapter does not respect the system setting:


user@system:~$ iw reg get
global
country US: DFS-FCC
(2400 - 2483 @ 40), (N/A, 30), (N/A)
(5150 - 5250 @ 80), (N/A, 23), (N/A), AUTO-BW
(5250 - 5350 @ 80), (N/A, 23), (0 ms), DFS, AUTO-BW
(5470 - 5730 @ 160), (N/A, 23), (0 ms), DFS
(5730 - 5850 @ 80), (N/A, 30), (N/A)
(57240 - 71000 @ 2160), (N/A, 40), (N/A)
phy#0 (self-managed)
country 00: DFS-UNSET
(2402 - 2437 @ 40), (6, 22), (N/A), AUTO-BW, NO-HT40MINUS, NO-80MHZ, NO-160MHZ
(2422 - 2462 @ 40), (6, 22), (N/A), AUTO-BW, NO-80MHZ, NO-160MHZ
(2447 - 2482 @ 40), (6, 22), (N/A), AUTO-BW, NO-HT40PLUS, NO-80MHZ, NO-160MHZ
(5170 - 5190 @ 160), (6, 22), (N/A), NO-OUTDOOR, AUTO-BW, IR-CONCURRENT, NO-HT40MINUS, PASSIVE-SCAN
(5190 - 5210 @ 160), (6, 22), (N/A), NO-OUTDOOR, AUTO-BW, IR-CONCURRENT, NO-HT40PLUS, PASSIVE-SCAN
(5210 - 5230 @ 160), (6, 22), (N/A), NO-OUTDOOR, AUTO-BW, IR-CONCURRENT, NO-HT40MINUS, PASSIVE-SCAN
(5230 - 5250 @ 160), (6, 22), (N/A), NO-OUTDOOR, AUTO-BW, IR-CONCURRENT, NO-HT40PLUS, PASSIVE-SCAN
(5250 - 5270 @ 160), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, PASSIVE-SCAN
(5270 - 5290 @ 160), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, PASSIVE-SCAN
(5290 - 5310 @ 160), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, PASSIVE-SCAN
(5310 - 5330 @ 160), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, PASSIVE-SCAN
(5490 - 5510 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, PASSIVE-SCAN
(5510 - 5530 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, PASSIVE-SCAN
(5530 - 5550 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, PASSIVE-SCAN
(5550 - 5570 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, PASSIVE-SCAN
(5570 - 5590 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, PASSIVE-SCAN
(5590 - 5610 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, PASSIVE-SCAN
(5610 - 5630 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, PASSIVE-SCAN
(5630 - 5650 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, PASSIVE-SCAN
(5650 - 5670 @ 80), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, NO-160MHZ, PASSIVE-SCAN
(5670 - 5690 @ 80), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, NO-160MHZ, PASSIVE-SCAN
(5690 - 5710 @ 80), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, NO-160MHZ, PASSIVE-SCAN
(5710 - 5730 @ 80), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, NO-160MHZ, PASSIVE-SCAN
(5735 - 5755 @ 80), (6, 22), (N/A), AUTO-BW, IR-CONCURRENT, NO-HT40MINUS, NO-160MHZ, PASSIVE-SCAN
(5755 - 5775 @ 80), (6, 22), (N/A), AUTO-BW, IR-CONCURRENT, NO-HT40PLUS, NO-160MHZ, PASSIVE-SCAN
(5775 - 5795 @ 80), (6, 22), (N/A), AUTO-BW, IR-CONCURRENT, NO-HT40MINUS, NO-160MHZ, PASSIVE-SCAN
(5795 - 5815 @ 80), (6, 22), (N/A), AUTO-BW, IR-CONCURRENT, NO-HT40PLUS, NO-160MHZ, PASSIVE-SCAN
(5815 - 5835 @ 40), (6, 22), (N/A), AUTO-BW, IR-CONCURRENT, NO-HT40MINUS, NO-80MHZ, NO-160MHZ, PASSIVE-SCAN

What I had to do is bring up the adapter in managed mode, add a secondary monitor interface to this phy, and then perform a scan:

user@system:~$ sudo ip link set wlp1s0 down
user@system:~$ sudo iw dev wlp1s0 set type managed
user@system:~$ sudo ip link set wlp1s0 up
u
ser@system:~$ sudo iw phy phy0 interface add mon0 type monitor
user@system:~$ sudo ip link set mon0 up


Execute the scan on the primary managed interface:

user@system:~$ sudo iw dev wlp1s0 scan
<cut>

Check the domain again:

user@system:~$ iw reg get
global
country US: DFS-FCC
<cut>
phy#0 (self-managed)
country US: DFS-UNSET
<cut>

Check the channel listing - consistent with the updated domain, the 6GHz channels are now available for client or monitor mode use (we still could not create an AP on these channels):

user@system:~$ iw phy phy0 info
<cut>
    Frequencies:
        * 5955 MHz [1] (22.0 dBm) (no IR)
        * 5975 MHz [5] (22.0 dBm) (no IR)
        * 5995 MHz [9] (22.0 dBm) (no IR)
        * 6015 MHz [13] (22.0 dBm) (no IR)
        * 6035 MHz [17] (22.0 dBm) (no IR)
        <cut>


Disable the managed interface:

user@system:~$ ip link set wlp1s0 down


Set a 6GHz channel and use your favorite capture system (tcpdump, dumpcap, wireshark, etc) to capture monitor mode on 6GHz:

user@system:~$ sudo iw mon0 set freq 6935 160 6985


No comments:

Post a Comment