5 Replies Latest reply on Mar 3, 2020 3:32 AM by AditiB_81

    WiFi sniffing using

    SaSh_283021

      Hello,

       

      I want to use CYW43907 to fulfill the requirement of WiFi sniffing.

       

      Can Wiced SDK provide me below data? I also need beacon frames.

       

      D,026f9c,61d83a,,-27,0-

      2,26,26,wakultip,OPPO,ipad,wakulthip,wakuthip,waku

      ntip,ipsd,bangkoK007,wakulti

      R,2294e6,df6963,,-62,2-4,40,40,JARDIN-PRESTIGE

      D,32727b,cdf1c1,,-35,0-

      2,40,40,virginmedia5330910,BlackBerry Mobile

      Hotspot 8739,JARDIN-PRESTIGE

      D,02084f,8ee4a0,,-40,0-2,40,40

      C,b06ebf,936095,,-90,4-6,40,40

      D,40b395,496b93,Apple,-35,0-2,40,40

      D,828559,566b47,,-26,0-2,40,40

      D,d4389c,d6b6a5,Sony,-37,0-2,40,45,John-Lewis-

      WiFi,@AirportTrueFreeWiFi,FREE-Hooters-WiFi,@

      WiFi-by-BTOpenzone,@AirportAISFreeWiFi,@ AIS SUPER

      WiFi,Furama Silom,Pizza Hut - Free

      McDonaldsAIS,castrobar015GHz,Camelot Outdoor WiFi

      1,TP-LINKWA850RE

      D,02cb79,0e3581,,-84,4-6,40,40

      D,dec157,b055ef,,-90,4-6,41,41

      D,22932f,c91f4b,,-92,4-6,41,41

      A,000b86,e40720,Aruba,-94,4-6,41,41,BAGNETWIFI

      A,000b86,e40724,Aruba,-94,4-6,41,41,wBALHRT5

      D,963317,306f65,,-51,2-4,188,188

      D,76cc11,3adb8a,,-75,4-6,188,188

      D,968a9c,e87af9,,-60,2-4,188,188

      D,84b541,abf114,Samsung,-37,0-2,189,189,fort

      arabesque

      D,6e9fa8,ad74ac,,-71,4-6,190,190

      D,2054fa,a4aac7,Cisco,-72,4-6,129,129

      DD,1101,0,Apple,8,190,190

      AD,1270,0,Aruba,30,190,190

       

      For the first column:

      D = a device

      C = is a device that is connected to an access point

      (this output is not showing the mac address of the connected

      access point, but we do capture it)

      A = an access point

      R = This a a device that is randomising its’ mac

      address, but we can track it despite this.

      DD = Device density. This is a count of the top number

      of device manufactures (based on the OUI) we are interested in.

      The example data set is reporting that (in the previous 60 seconds)

      it detected 8 Apple devices.

      AB = Access point density. As DD, but for access

      points.

      Columns 2 and 3 are the OUI and Address that make up the mac

      address

      Column 4 shows the human-readable manufacturer of a device that

      has a identifiable OUI (we are only tracking a limited number of

      OUIs due to memory limitations of the ESP2866 chip)

      Column 5 is the (average) RSSI of the device in the scanning

      window (15 seconds in this output)

      Column 6 is a human-readable estimate of the distance range of the

      device in meters.

      Column 7 is the start time that we saw the device

      Column 8 is the last time that we saw the device

        • 1. Re: WiFi sniffing using
          AditiB_81

          Hi,

          The feature that you have requested is "Monitor Mode". We haven't tested the monitor mode of CYW43907. Refer to the following link:

          https://community.cypress.com/message/206984#206984

           

          You can refer the sample program in snip\packet_filter in WICED. You can also refer to snip\scan sample code in WICED which will display the lists of the access points, MAC address of the access points, RSSI. You can resolve the MAC address to obtain access point density and OUI.

          PFA image showing the scan results of snip.scan.

           

          Thanks

          1 of 1 people found this helpful
          • 2. Re: WiFi sniffing using
            SaSh_283021

            Is there any other chip with MCU can support Monitor mode?

            • 3. Re: WiFi sniffing using
              AditiB_81

              Hi,

              We haven't tested and validated the functionality of "Monitor Mode" for WICED devices. You can use CYW43907 and can refer to snip\packet_filter sample code. The sample code can provide partial results for your application. You may refer to the following link:

               

              Wifi chip transmits when monitor mode is enabled

              Documentation related to monitor mode can be found in CYW43XX Technical Information - WL Tool for Embedded 802.11 Systems

              Thanks

              1 of 1 people found this helpful
              • 4. Re: WiFi sniffing using
                SaSh_283021

                From RAW packet capture, can I get the below information?

                 

                MAC header

                  typedef struct { 
                wifi_header_frame_control_t frame_ctrl;
                unsigned duration_id:16;
                uint8_t addr1[6]; /* receiver address */
                uint8_t addr2[6]; /* sender address */
                uint8_t addr3[6]; /* filtering address */
                unsigned sequence_ctrl:16;
                uint8_t addr4[6]; /* optional */
                } wifi_ieee80211_mac_hdr_t;

                MAC header frame control

                  typedef struct { 
                unsigned protocol:2;
                unsigned type:2;
                unsigned subtype:4;
                unsigned to_ds:1;
                unsigned from_ds:1;
                unsigned more_frag:1;
                unsigned retry:1;
                unsigned pwr_mgmt:1;
                unsigned more_data:1;
                unsigned wep:1;
                unsigned strict:1;
                } wifi_header_frame_control_t;

                Beacon frame

                  typedef struct{ 
                unsigned interval:16;
                unsigned capability:16;
                unsigned tag_number:8;
                unsigned tag_length:8;
                char ssid[0];
                uint8 rates[1];
                } wifi_mgmt_beacon_t;

                Packet types and subtypes

                  typedef enum{ 
                WIFI_PKT_MGMT,
                WIFI_PKT_CTRL,
                WIFI_PKT_DATA,
                WIFI_PKT_MISC,
                } wifi_promiscuous_pkt_type_t; 

                typedef enum {
                ASSOCIATION_REQ,
                ASSOCIATION_RES,
                REASSOCIATION_REQ,
                REASSOCIATION_RES,
                PROBE_REQ,
                PROBE_RES,
                NU1, /* ......................*/
                NU2, /* 0110, 0111 not used */
                BEACON,
                ATIM,
                DISASSOCIATION,
                AUTHENTICATION,
                DEAUTHENTICATION,
                ACTION,
                ACTION_NACK,
                } wifi_mgmt_subtypes_t;
                • 5. Re: WiFi sniffing using
                  AditiB_81

                  Hi,

                  You can try snip\packet_filter and can get results for the wifi_mgmt_subtypes_t, from_ds, to_ds, receiver address, sender address, filtering address. As we haven't validated and tested the "Monitor Mode" so you may get partial results. You can refer to the links in the previous responses.

                   

                  Thanks