Lack of broadcast probe request frames in monitor mode

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
user_4087271
Level 1
Level 1
First like given

Hello,

we're developing a standalone PcB to monitor WiFi devices based on the management frames they are sending out (Probe Requests mainly).

We currently using the BCM943362WCD4_EVB Dev Board (BCM943362 chip) with WICED Studio Version 6.2.1.2.

We're initiating monitor mode on the board and print the output as suggested in the sample application snip/packet_filter.

Here is a piece of the code:

static const wiced_packet_filter_t anti_beacon = {

        .id = 1,

        .rule = WICED_PACKET_FILTER_RULE_NEGATIVE_MATCHING, // Negative match

        .offset = 0,

        .mask_size = 1, // 2

        .mask         = (uint8_t*)"\xff",

        .pattern      = (uint8_t*)"\x80",

};

char filter_list[] = {1};

void application_start() {

    wiced_init();

    wwd_wifi_select_antenna (WICED_ANTENNA_1);

    /* Mission Complete, disable & uninstall filters */

    pktfilter_disable(filter_list, sizeof(filter_list));

    pktfilter_remove(filter_list, sizeof(filter_list));

    /* Filter settings */

    wiced_wifi_set_packet_filter_mode( WICED_PACKET_FILTER_MODE_FORWARD );

    wiced_wifi_add_packet_filter( &anti_beacon );

    /* Register callback for packets that match filters */

    wwd_wifi_set_raw_packet_processor(raw_packet_callback);

    memset(&workspace->sniff_complete, 0, sizeof(workspace->sniff_complete));

    wiced_rtos_init_semaphore(&workspace->sniff_complete);

    /* Enable Filters */

    pktfilter_enable(filter_list, sizeof(filter_list));

    /* Display current filter settings */

    print_packet_filter_list();

    /* Demonstrate filters are all zeros to start. */

    pktfilter_stats(filter_list, sizeof(filter_list));

    /* Enable monitor mode so we will recieve the packets */

    wwd_wifi_set_channel( WICED_STA_INTERFACE, 6); //

    wwd_wifi_enable_monitor_mode();

//    /* Collect packets for 5 seconds. */

    wiced_rtos_get_semaphore(&workspace->sniff_complete, 50 * 1000);

//

//    /* Done sniffing.  Disable monitor mode */

    wwd_wifi_disable_monitor_mode();

//

//    /* Show number of hits.  Note that even without monitor mode the stats will still show number of matches. */

    pktfilter_stats(filter_list, sizeof(filter_list));

//

//    /* Deregister our callback routine */

    wwd_wifi_set_raw_packet_processor( NULL);

//

//    /* Mission Complete, disable & uninstall filters */

    pktfilter_disable(filter_list, sizeof(filter_list));

    pktfilter_remove(filter_list, sizeof(filter_list));

//

    wiced_rtos_deinit_semaphore(&workspace->sniff_complete);

}

We're receiving beacon frames, probe responses and other frames just fine, but we're not getting any Probe Requests sent to the broadcast address (receiver address and bssid set to ff:ff:ff:ff:ff:ff). Probe requests sent to any other Destination/BSSID are being received and displayed correctly.

Specifically, any frames with a receiver address starting with 'ff' (e.g. 'ff:aa:aa:aa:aa:aa) seem to be discarded and are not passed to the callback function. Probe requests sent to any other Receiver Address (e.g. 'fa:aa:aa:aa:aa:aa') are being received and displayed correctly.

We also try to get this working, without any packet filter on a less frequented channel, there where also no or less Probe Request Frames.

At the next point, we compare the output of the Dev Board Chip with an ESP6288 with a filter on probe requests - the ESP collect all of them.

Is there a configuration option/flag we have to set to receive Probe Requests sent to broadcast addresses (the VAST majority of probe requests), is this a limitation inposed by WICED or could this be a limitation from the chipset?

Thanks in advance for any help.

0 Likes
1 Solution
lock attach
Attachments are accessible only for community members.

Hello:

please use the firmware attached from 6.1 version, I just verified it in 43362WCD4 board.

View solution in original post

7 Replies
Zhengbao_Zhang
Moderator
Moderator
Moderator
250 sign-ins First comment on KBA 10 questions asked

Hello:

  I did below steps to get probe frame:

1.  char filter_list[] = {11};

  only filter mac address 

2. static const uint8_t macaddr_mask[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

  try to get all the packets.

3. change dunmp_layer2(); function

  in case FC_TYPE_MNG:

   if(type_sub==4)

   only print out req frame in management type.

now can get probe req as you wanted,  need you to have a try.

but I am testing based on 43907.

pastedImage_1.png

Hello,

thank you very much for your answer.

I've checked your code crosswise with the suggested A3 MAC (Offset 16) and the A1 MAC (Offset 4).

In parallel i've collected the frames with an ESP6288, all of the broadcast frames reached the ESP but not the BCM43362.

In all of these variants, the broadcast address with abeginning "ff" is filtered out:

dst = 'ca:ca:ca:aa:cc:cc'

ist working,

dst = 'ff:ca:ca:aa:cc:cc'

is not working.

The interesting thing is, that only get Retry Probe Requests.

M Probe Req 0/4 R FromDS 0 ToDS 0 Seq 2187 ca:ca:ca:aa:cc:cc ba:00:00:00:00:00 ca:ca:ca:aa:cc:cc

M Probe Req 0/4 R FromDS 0 ToDS 0 Seq 2187 ca:ca:ca:aa:cc:cc ba:00:00:00:00:00 ca:ca:ca:aa:cc:cc

Its possible to get more information about this "bug" or "feature" ?

0 Likes

hello:

According 80211 frame description,  A1,A2,A3 address will decided by the value of < from DS, to DS >,  so please enable A1, A2, A3 together,

I think you can get all the management frames on your mac setting, I have tried it in my setting, it works.

Hello,

we extend the code with the A1, A2 and A3 filter but again, there was no success.

We also checked the complete raw packets from the callback function, all of them we received were packets without a broadcast address. In our script we test the limitations: The address "FE:FF:FF:FF:FF:FF" was passed through but the broadcast address "FF:FF:FF:FF:FF:FF" not.
(Again we crosschecked the response with the ESP8266, the broadcast packets get in.

So maybe it is a firmware limitation of the BCM943362 or another bug, maybe we crosscheck the problem with a older WICED Studio Version.

0 Likes

I will find a 43362 board for a try, seems the results are different in my test,  you can see all the broadcast frame can be filtered in my last pic attached.

lock attach
Attachments are accessible only for community members.

Hello:

please use the firmware attached from 6.1 version, I just verified it in 43362WCD4 board.

Thank you very much for your help.

0 Likes