Monitor Mode and WiFi multicast
Hello,
I have setup a wireless interface in monitor mode as I am attempting to see multicast traffic I am sending from one device to another device over an access point. I am aware that the link from a device to the AP is always unicast and only once data reaches the AP it can be sent as multicast.
However, my capture only ever shows the retry of the multicast data fro the original source to the AP. I never see non-re-transmitted packets from source to AP and I never see any multicast data from the AP to a subscribed client. I didn't think an interface in monitor mode would need to join via IGMP. Is there a something I am missing?
Thanks!
Multicast handling in wifi can vary based on settings and hardware used. I suggest you upload a capture file so we can see what is happening at the frame level.
A wireless adapter in monitor/promiscuous mode will not need IGMP to pick up traffic in the air, as long as it is tuned to the correct channel, can manage the modulation, is close enough, etc.
If you only see retries, maybe the AP is not picking up the data at all so would then never be sent to the multicast receiver. Most drivers have a datarate selection algorithm where retries might be sent at a lower datarate; depends heavily on the driver. This could explain why you don't see the original, but perhaps can see the retries - you can't pick up the highest modulation frames, but can pick up lower ones.
Sure, here is a capture:
https://drive.google.com/open?id=1rgc...
My example has me sending out a packet to 224.1.1.18 every 0.5 seconds. In the payload I have the packet serialized starting with 1, and some time stamps. At 18.5 seconds in (Wireshark No. 929) I get my first instance of retransmission with my serial number 64. Then again at 24.5 seconds with Wireshark packet 1238 and my 76, which that same packet was then retried again at Wireshark packet 1242. My monitor mode WiFi interface was within feet of the AP.