7 Replies Latest reply on Apr 3, 2019 4:25 AM by user_4087271

    Lack of broadcast probe request frames in monitor mode

    user_4087271

      Hello,

      we're developing a standalone PcB to monitor WiFi devices based on the management frames they are sending out (Probe Requests mainly).

      We currently using the BCM943362WCD4_EVB Dev Board (BCM943362 chip) with WICED Studio Version 6.2.1.2.

       

      We're initiating monitor mode on the board and print the output as suggested in the sample application snip/packet_filter.

      Here is a piece of the code:

      static const wiced_packet_filter_t anti_beacon = {
              .id = 1,
              .rule = WICED_PACKET_FILTER_RULE_NEGATIVE_MATCHING, // Negative match
              .offset = 0,
              .mask_size = 1, // 2
              .mask         = (uint8_t*)"\xff",
              .pattern      = (uint8_t*)"\x80",
      };
      
      char filter_list[] = {1};
      
      void application_start() {
      
          wiced_init();
          wwd_wifi_select_antenna (WICED_ANTENNA_1);
      
          /* Mission Complete, disable & uninstall filters */
          pktfilter_disable(filter_list, sizeof(filter_list));
          pktfilter_remove(filter_list, sizeof(filter_list));
      
          /* Filter settings */
          wiced_wifi_set_packet_filter_mode( WICED_PACKET_FILTER_MODE_FORWARD );
      
          wiced_wifi_add_packet_filter( &anti_beacon );
      
          /* Register callback for packets that match filters */
          wwd_wifi_set_raw_packet_processor(raw_packet_callback);
      
          memset(&workspace->sniff_complete, 0, sizeof(workspace->sniff_complete));
          wiced_rtos_init_semaphore(&workspace->sniff_complete);
      
          /* Enable Filters */
          pktfilter_enable(filter_list, sizeof(filter_list));
      
          /* Display current filter settings */
          print_packet_filter_list();
      
          /* Demonstrate filters are all zeros to start. */
          pktfilter_stats(filter_list, sizeof(filter_list));
      
      
          /* Enable monitor mode so we will recieve the packets */
          wwd_wifi_set_channel( WICED_STA_INTERFACE, 6); //
      
          wwd_wifi_enable_monitor_mode();
      
      //    /* Collect packets for 5 seconds. */
          wiced_rtos_get_semaphore(&workspace->sniff_complete, 50 * 1000);
      //
      //    /* Done sniffing.  Disable monitor mode */
          wwd_wifi_disable_monitor_mode();
      //
      //    /* Show number of hits.  Note that even without monitor mode the stats will still show number of matches. */
          pktfilter_stats(filter_list, sizeof(filter_list));
      //
      //    /* Deregister our callback routine */
          wwd_wifi_set_raw_packet_processor( NULL);
      //
      //    /* Mission Complete, disable & uninstall filters */
          pktfilter_disable(filter_list, sizeof(filter_list));
          pktfilter_remove(filter_list, sizeof(filter_list));
      //
          wiced_rtos_deinit_semaphore(&workspace->sniff_complete);
      }
      

      We're receiving beacon frames, probe responses and other frames just fine, but we're not getting any Probe Requests sent to the broadcast address (receiver address and bssid set to ff:ff:ff:ff:ff:ff). Probe requests sent to any other Destination/BSSID are being received and displayed correctly.

       

      Specifically, any frames with a receiver address starting with 'ff' (e.g. 'ff:aa:aa:aa:aa:aa) seem to be discarded and are not passed to the callback function. Probe requests sent to any other Receiver Address (e.g. 'fa:aa:aa:aa:aa:aa') are being received and displayed correctly.

       

      We also try to get this working, without any packet filter on a less frequented channel, there where also no or less Probe Request Frames.

      At the next point, we compare the output of the Dev Board Chip with an ESP6288 with a filter on probe requests - the ESP collect all of them.

       

      Is there a configuration option/flag we have to set to receive Probe Requests sent to broadcast addresses (the VAST majority of probe requests), is this a limitation inposed by WICED or could this be a limitation from the chipset?

       

      Thanks in advance for any help.