WiFi sniffing using

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
SaSh_283021
Level 1
Level 1

Hello,

I want to use CYW43907 to fulfill the requirement of WiFi sniffing.

Can Wiced SDK provide me below data? I also need beacon frames.

D,026f9c,61d83a,,-27,0-

2,26,26,wakultip,OPPO,ipad,wakulthip,wakuthip,waku

ntip,ipsd,bangkoK007,wakulti

R,2294e6,df6963,,-62,2-4,40,40,JARDIN-PRESTIGE

D,32727b,cdf1c1,,-35,0-

2,40,40,virginmedia5330910,BlackBerry Mobile

Hotspot 8739,JARDIN-PRESTIGE

D,02084f,8ee4a0,,-40,0-2,40,40

C,b06ebf,936095,,-90,4-6,40,40

D,40b395,496b93,Apple,-35,0-2,40,40

D,828559,566b47,,-26,0-2,40,40

D,d4389c,d6b6a5,Sony,-37,0-2,40,45,John-Lewis-

WiFi,@AirportTrueFreeWiFi,FREE-Hooters-WiFi,@

WiFi-by-BTOpenzone,@AirportAISFreeWiFi,@ AIS SUPER

WiFi,Furama Silom,Pizza Hut - Free

McDonaldsAIS,castrobar015GHz,Camelot Outdoor WiFi

1,TP-LINKWA850RE

D,02cb79,0e3581,,-84,4-6,40,40

D,dec157,b055ef,,-90,4-6,41,41

D,22932f,c91f4b,,-92,4-6,41,41

A,000b86,e40720,Aruba,-94,4-6,41,41,BAGNETWIFI

A,000b86,e40724,Aruba,-94,4-6,41,41,wBALHRT5

D,963317,306f65,,-51,2-4,188,188

D,76cc11,3adb8a,,-75,4-6,188,188

D,968a9c,e87af9,,-60,2-4,188,188

D,84b541,abf114,Samsung,-37,0-2,189,189,fort

arabesque

D,6e9fa8,ad74ac,,-71,4-6,190,190

D,2054fa,a4aac7,Cisco,-72,4-6,129,129

DD,1101,0,Apple,8,190,190

AD,1270,0,Aruba,30,190,190

For the first column:

D = a device

C = is a device that is connected to an access point

(this output is not showing the mac address of the connected

access point, but we do capture it)

A = an access point

R = This a a device that is randomising its’ mac

address, but we can track it despite this.

DD = Device density. This is a count of the top number

of device manufactures (based on the OUI) we are interested in.

The example data set is reporting that (in the previous 60 seconds)

it detected 8 Apple devices.

AB = Access point density. As DD, but for access

points.

Columns 2 and 3 are the OUI and Address that make up the mac

address

Column 4 shows the human-readable manufacturer of a device that

has a identifiable OUI (we are only tracking a limited number of

OUIs due to memory limitations of the ESP2866 chip)

Column 5 is the (average) RSSI of the device in the scanning

window (15 seconds in this output)

Column 6 is a human-readable estimate of the distance range of the

device in meters.

Column 7 is the start time that we saw the device

Column 8 is the last time that we saw the device

0 Likes
1 Solution
Aditi_B
Moderator
Moderator
Moderator
500 replies posted 5 questions asked 250 replies posted

Hi,

The feature that you have requested is "Monitor Mode". We haven't tested the monitor mode of CYW43907. Refer to the following link:

https://community.cypress.com/message/206984#206984

You can refer the sample program in snip\packet_filter in WICED. You can also refer to snip\scan sample code in WICED which will display the lists of the access points, MAC address of the access points, RSSI. You can resolve the MAC address to obtain access point density and OUI.

PFA image showing the scan results of snip.scan.

Thanks

View solution in original post

5 Replies
Aditi_B
Moderator
Moderator
Moderator
500 replies posted 5 questions asked 250 replies posted

Hi,

The feature that you have requested is "Monitor Mode". We haven't tested the monitor mode of CYW43907. Refer to the following link:

https://community.cypress.com/message/206984#206984

You can refer the sample program in snip\packet_filter in WICED. You can also refer to snip\scan sample code in WICED which will display the lists of the access points, MAC address of the access points, RSSI. You can resolve the MAC address to obtain access point density and OUI.

PFA image showing the scan results of snip.scan.

Thanks

Is there any other chip with MCU can support Monitor mode?

0 Likes
Aditi_B
Moderator
Moderator
Moderator
500 replies posted 5 questions asked 250 replies posted

Hi,

We haven't tested and validated the functionality of "Monitor Mode" for WICED devices. You can use CYW43907 and can refer to snip\packet_filter sample code. The sample code can provide partial results for your application. You may refer to the following link:

Wifi chip transmits when monitor mode is enabled

Documentation related to monitor mode can be found in CYW43XX Technical Information - WL Tool for Embedded 802.11 Systems

Thanks

From RAW packet capture, can I get the below information?

MAC header

  typedef struct { 
wifi_header_frame_control_t frame_ctrl;
unsigned duration_id:16;
uint8_t addr1[6]; /* receiver address */
uint8_t addr2[6]; /* sender address */
uint8_t addr3[6]; /* filtering address */
unsigned sequence_ctrl:16;
uint8_t addr4[6]; /* optional */
} wifi_ieee80211_mac_hdr_t;

MAC header frame control

  typedef struct { 
unsigned protocol:2;
unsigned type:2;
unsigned subtype:4;
unsigned to_ds:1;
unsigned from_ds:1;
unsigned more_frag:1;
unsigned retry:1;
unsigned pwr_mgmt:1;
unsigned more_data:1;
unsigned wep:1;
unsigned strict:1;
} wifi_header_frame_control_t;

Beacon frame

  typedef struct{ 
unsigned interval:16;
unsigned capability:16;
unsigned tag_number:8;
unsigned tag_length:8;
char ssid[0];
uint8 rates[1];
} wifi_mgmt_beacon_t;

Packet types and subtypes

  typedef enum{ 
WIFI_PKT_MGMT,
WIFI_PKT_CTRL,
WIFI_PKT_DATA,
WIFI_PKT_MISC,
} wifi_promiscuous_pkt_type_t; 

typedef enum {
ASSOCIATION_REQ,
ASSOCIATION_RES,
REASSOCIATION_REQ,
REASSOCIATION_RES,
PROBE_REQ,
PROBE_RES,
NU1, /* ......................*/
NU2, /* 0110, 0111 not used */
BEACON,
ATIM,
DISASSOCIATION,
AUTHENTICATION,
DEAUTHENTICATION,
ACTION,
ACTION_NACK,
} wifi_mgmt_subtypes_t;
0 Likes
Aditi_B
Moderator
Moderator
Moderator
500 replies posted 5 questions asked 250 replies posted

Hi,

You can try snip\packet_filter and can get results for the wifi_mgmt_subtypes_t, from_ds, to_ds, receiver address, sender address, filtering address. As we haven't validated and tested the "Monitor Mode" so you may get partial results. You can refer to the links in the previous responses.

Thanks

0 Likes