Example:
tshark -i mon0 -T fields -e wlan.sa -e radiotap.dbm_antsignal -c 5
Prints
xx:xx:xx:xx:xx:xx:xx -88,-88
Most of the times the readings are not the same. What is the first number and last number?
I think the driver you have is reporting a maximum and then the actual value. For instance, here is the output from the same frame caught by four different adapters on Linux:
tshark -r beacon.pcapng -T fields -e wlan.sa -e radiotap.dbm_antsignal -c 5
00:01:02:03:ef:72 -58
00:01:02:03:ef:72 -60
00:01:02:03:ef:72 -64,-64,-65
00:01:02:03:ef:72 -61,-64,-61
In order, we have here:
For the Intel case, here is what Wireshark shows:
Radiotap Header v0, Length 56
Header revision: 0
Header pad: 0
Header length: 56
Present flags
MAC timestamp: 388880163915
Flags: 0x10
Data Rate: 18.0 Mb/s
Channel frequency: 5745 [A 149]
Channel flags: 0x0140, Orthogonal Frequency-Division Multiplexing (OFDM), 5 GHz spectrum
Antenna signal: -64dBm
RX flags: 0x0000
timestamp information
Antenna signal: -64dBm
Antenna: 0
Antenna signal: -65dBm
Antenna: 1
I am guessing the first one of the three fields is a maximum and then the next two are the specific antenna values. I would think it is driver specific.
Some different adapters, and I know I have some antenna problems (broken/missing):
tshark -i wlan1 -i wlan10 -i wlan11 -i wlan90 -i wlan104 -T fields -e frame.interface_name -e wlan.sa -e radiotap.dbm_antsignal -c 30
wlan10 00:01:02:03:ef:72 -66,-81,-66
wlan10 00:01:02:03:ef:73 -66,-81,-66
wlan10 00:01:02:03:ef:74 -68,-82,-68
wlan11 00:01:02:03:ef:72 -56,-70,-56
wlan11 00:01:02:03:ef:73 -57,-71,-57
wlan11 00:01:02:03:ef:74 -56,-70,-56
<cut>
It looks like the first value is the maximum in this small sample. I get two values from an Atheros chipset:
Atheros Communications, Inc. AR9271 802.11n
wlan1 00:01:02:03:97:b9 -24,-24
With Wireshark showing:
Radiotap Header v0, Length 36
Header revision: 0
Header pad: 0
Header length: 36
Present flags
MAC timestamp: 2018179335135440602
Flags: 0x10
Data Rate: 6.0 Mb/s
Channel frequency: 2462 [BG 11]
Channel flags: 0x00c0, Orthogonal Frequency-Division Multiplexing (OFDM), 2 GHz spectrum
Antenna signal: -79dBm
RX flags: 0x0000
Antenna signal: -79dBm
Antenna: 0
Which linux and version did you run the tests on?
kali: 4.14.2-kalivm-1 #1 SMP Sun Dec 31 06:09:42 EST 2017 x86_64 GNU/Linux
kali: 5.2.0-kali2-amd64 #1 SMP Debian 5.2.9-2kali1 (2019-08-22) x86_64 GNU/Linux
debian: 4.19.0-0.bpo.5-amd64 #1 SMP Debian 4.19.37-5+deb10u2~bpo9+1 (2019-08-16) x86_64 GNU/Linux
The Intel 7260 is listed as 2x2 and looks like the card for inside a laptop.
The MT7612U is a chip listed as Antenna: 2T2R. What type of card/dongle is it?
Some details:
admin@server: lsusb
Bus 003 Device 007: ID 0e8d:7612 MediaTek Inc.:
This is an actual Alfa AWUS036ACM. I have another from a no-name brand, but that comes up same in lsusb.
The 7620 is a PCI based adapter. wlan10 and wlan11, listed above, are also Intel:
wlan10 Intel Corporation Wireless 8265 / 8275 (rev 78)
wlan11 Intel Corporation Wireless-AC 9260 (rev 29)
Not shown, but is same as the other Intel chipsets is an 11ax 2x2:2 adapter:
Intel Corporation Device 2723 (rev 1a)
The broadcom chipsets I have available (Macbook Pro (4x4), Aerohive (11ax 4x4) access point running rpcapd) both show a single antenna entry.
Asked: 2020-05-04 02:04:04 +0000
Seen: 707 times
Last updated: May 05 '20
Have you looked at a full decode of one of these packets?
Can you provide a capture file to look at?
What is output if you add
-e radiotap.present.extto the tshark command above.Once in a while it will print one set of numbers but nearly all of the time I get two. This is using raspbian latest, some with nexmon drivers and some with a supported USB wifi present (no nexmon installed) I am using the output in python and can strip part of the line, but I was'nt sure why there are two readings.
Can you capture to file and then open in the Wireshark GUI?
The
1,0output fromradiotap.present.extindicates that there are extension fields.There is a sample pcap attached to this bug that shows extended radiotap fields.