Ask Your Question
0

Monitor Mode and WiFi multicast

asked 2019-08-14 18:25:14 +0000

alphonso gravatar image

Hello,

I have setup a wireless interface in monitor mode as I am attempting to see multicast traffic I am sending from one device to another device over an access point. I am aware that the link from a device to the AP is always unicast and only once data reaches the AP it can be sent as multicast.

However, my capture only ever shows the retry of the multicast data fro the original source to the AP. I never see non-re-transmitted packets from source to AP and I never see any multicast data from the AP to a subscribed client. I didn't think an interface in monitor mode would need to join via IGMP. Is there a something I am missing?

Thanks!

edit retag flag offensive close merge delete

Comments

Multicast handling in wifi can vary based on settings and hardware used. I suggest you upload a capture file so we can see what is happening at the frame level.

A wireless adapter in monitor/promiscuous mode will not need IGMP to pick up traffic in the air, as long as it is tuned to the correct channel, can manage the modulation, is close enough, etc.

If you only see retries, maybe the AP is not picking up the data at all so would then never be sent to the multicast receiver. Most drivers have a datarate selection algorithm where retries might be sent at a lower datarate; depends heavily on the driver. This could explain why you don't see the original, but perhaps can see the retries - you can't pick up the highest modulation frames, but can pick up lower ones.

Bob Jones gravatar imageBob Jones ( 2019-08-14 20:45:57 +0000 )edit

Sure, here is a capture:

https://drive.google.com/open?id=1rgc...

My example has me sending out a packet to 224.1.1.18 every 0.5 seconds. In the payload I have the packet serialized starting with 1, and some time stamps. At 18.5 seconds in (Wireshark No. 929) I get my first instance of retransmission with my serial number 64. Then again at 24.5 seconds with Wireshark packet 1238 and my 76, which that same packet was then retried again at Wireshark packet 1242. My monitor mode WiFi interface was within feet of the AP.

alphonso gravatar imagealphonso ( 2019-08-14 21:03:29 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-08-14 21:25:30 +0000

Bob Jones gravatar image

For the sample trace, apply this filter:

wlan.addr == c8:3d:d4:a0:94:45

Look right before the referenced multicast frame at 929; see all of the CTS and Block ACK frames? Each of these pairs is very likely a successful unicast frame transfer between client and AP that your capture system did not pick up. Signal strength is OK, so I bet client/AP are using 802.11n modulations but your adapter is only picking up 802.11bg. Until retries drop modulation/datarate to levels that your capture system can pick up, you will continue to miss the bulk of your data traffic.

image description

The beacon for this network indicates that it is HT capable with LDPC support, SGI, 2SS. You can either try a different capture adapter or reduce the datarates on the AP by disabling 802.11n support as a test. Then you should see the bulk of the traffic, as you expect.

edit flag offensive delete link more

Comments

Alright that makes a lot of sense. I will definitely give that a go. Thank you so much for your quick responses. Sometimes you go so deep you forget the obvious things.

alphonso gravatar imagealphonso ( 2019-08-14 21:31:02 +0000 )edit

If/when the answer is sufficient, please accept for others to know the issue is resolved.

Bob Jones gravatar imageBob Jones ( 2019-08-14 21:35:01 +0000 )edit

Absolutely. I'll test this out in the morning and follow up with appropriate actions.

alphonso gravatar imagealphonso ( 2019-08-14 21:36:13 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-08-14 18:25:14 +0000

Seen: 2,514 times

Last updated: Aug 14 '19