Ask Your Question

Output of radiotap.dbm_antsignal has two readings, what is the first and last?

asked 2020-05-04 02:04:04 +0000

kurtus gravatar image


tshark -i mon0 -T fields -e -e radiotap.dbm_antsignal -c 5

Prints xx:xx:xx:xx:xx:xx:xx -88,-88

Most of the times the readings are not the same. What is the first number and last number?

edit retag flag offensive close merge delete


Have you looked at a full decode of one of these packets?
Can you provide a capture file to look at?
What is output if you add -e radiotap.present.ext to the tshark command above.

Chuckc gravatar imageChuckc ( 2020-05-04 03:37:44 +0000 )edit


#tshark -i mon1 -T fields -e -e radiotap.dbm_antsignal -e radiotap.present.ext

Running as user "root" and group "root". This could be dangerous.

Capturing on 'mon1'
30:f3:35:xx:xx:xx       -87,-93 1,0
4c:dd:31:xx:xx:xx       -84,-84 1,0
4c:dd:31:xx:xx:xx       -84,-84 1,0
        -87,-89 1,0
14:9f:3c:xx:xx:xx      -81,-89 1,0
^C5 packets captured

Once in a while it will print one set of numbers but nearly all of the time I get two. This is using raspbian latest, some with nexmon drivers and some with a supported USB wifi present (no nexmon installed) I am using the output in python and can strip part of the line, but I was'nt sure why there are two readings.

kurtus gravatar imagekurtus ( 2020-05-04 05:32:41 +0000 )edit

Can you capture to file and then open in the Wireshark GUI?
The 1,0 output from radiotap.present.ext indicates that there are extension fields.
There is a sample pcap attached to this bug that shows extended radiotap fields.

Chuckc gravatar imageChuckc ( 2020-05-04 06:28:07 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-05-04 22:13:05 +0000

Bob Jones gravatar image

updated 2020-05-05 00:07:31 +0000

I think the driver you have is reporting a maximum and then the actual value. For instance, here is the output from the same frame caught by four different adapters on Linux:

tshark -r beacon.pcapng -T fields -e -e radiotap.dbm_antsignal -c 5
00:01:02:03:ef:72       -58
00:01:02:03:ef:72       -60
00:01:02:03:ef:72       -64,-64,-65
00:01:02:03:ef:72       -61,-64,-61

In order, we have here:

  • Realtek Semiconductor Corp. RTL8814AU 802.11a/b/g/n/ac
  • Senao EUB1200AC AC1200 DB [Realtek RTL8812AU]
  • Intel Corporation Wireless 7260 (rev bb)
  • MediaTek Inc. (mt7612u)

For the Intel case, here is what Wireshark shows:

Radiotap Header v0, Length 56
    Header revision: 0
    Header pad: 0
    Header length: 56
    Present flags
    MAC timestamp: 388880163915
    Flags: 0x10
    Data Rate: 18.0 Mb/s
    Channel frequency: 5745 [A 149]
    Channel flags: 0x0140, Orthogonal Frequency-Division Multiplexing (OFDM), 5 GHz spectrum
    Antenna signal: -64dBm
    RX flags: 0x0000
    timestamp information
    Antenna signal: -64dBm
    Antenna: 0
    Antenna signal: -65dBm
    Antenna: 1

I am guessing the first one of the three fields is a maximum and then the next two are the specific antenna values. I would think it is driver specific.

Some different adapters, and I know I have some antenna problems (broken/missing):

tshark -i wlan1 -i wlan10 -i wlan11 -i wlan90 -i wlan104 -T fields -e frame.interface_name -e -e radiotap.dbm_antsignal -c 30
wlan10  00:01:02:03:ef:72       -66,-81,-66
wlan10  00:01:02:03:ef:73       -66,-81,-66
wlan10  00:01:02:03:ef:74       -68,-82,-68
wlan11  00:01:02:03:ef:72       -56,-70,-56
wlan11  00:01:02:03:ef:73       -57,-71,-57
wlan11  00:01:02:03:ef:74       -56,-70,-56


It looks like the first value is the maximum in this small sample. I get two values from an Atheros chipset:

Atheros Communications, Inc. AR9271 802.11n

wlan1    00:01:02:03:97:b9       -24,-24

With Wireshark showing:

Radiotap Header v0, Length 36
    Header revision: 0
    Header pad: 0
    Header length: 36
    Present flags
    MAC timestamp: 2018179335135440602
    Flags: 0x10
    Data Rate: 6.0 Mb/s
    Channel frequency: 2462 [BG 11]
    Channel flags: 0x00c0, Orthogonal Frequency-Division Multiplexing (OFDM), 2 GHz spectrum
    Antenna signal: -79dBm
    RX flags: 0x0000
    Antenna signal: -79dBm
    Antenna: 0
edit flag offensive delete link more


Which linux and version did you run the tests on?

Chuckc gravatar imageChuckc ( 2020-05-05 02:10:24 +0000 )edit

Which linux and version did you run the tests on?

kali: 4.14.2-kalivm-1 #1 SMP Sun Dec 31 06:09:42 EST 2017 x86_64 GNU/Linux
kali: 5.2.0-kali2-amd64 #1 SMP Debian 5.2.9-2kali1 (2019-08-22) x86_64 GNU/Linux
debian: 4.19.0-0.bpo.5-amd64 #1 SMP Debian 4.19.37-5+deb10u2~bpo9+1 (2019-08-16) x86_64 GNU/Linux
Bob Jones gravatar imageBob Jones ( 2020-05-05 09:50:40 +0000 )edit

The Intel 7260 is listed as 2x2 and looks like the card for inside a laptop.
The MT7612U is a chip listed as Antenna: 2T2R. What type of card/dongle is it?

Chuckc gravatar imageChuckc ( 2020-05-05 14:49:47 +0000 )edit

Some details:

admin@server: lsusb
        Bus 003 Device 007: ID 0e8d:7612 MediaTek Inc.:

This is an actual Alfa AWUS036ACM. I have another from a no-name brand, but that comes up same in lsusb.

The 7620 is a PCI based adapter. wlan10 and wlan11, listed above, are also Intel:

wlan10   Intel Corporation Wireless 8265 / 8275 (rev 78)
wlan11   Intel Corporation Wireless-AC 9260 (rev 29)

Not shown, but is same as the other Intel chipsets is an 11ax 2x2:2 adapter:

Intel Corporation Device 2723 (rev 1a)

The broadcom chipsets I have available (Macbook Pro (4x4), Aerohive (11ax 4x4) access point running rpcapd) both show a single antenna entry.

Bob Jones gravatar imageBob Jones ( 2020-05-05 15:36:14 +0000 )edit

Well I guess it really is driver dependent. I have dug out half a dozen USB WiFi adapters here and haven't been able to get the extended fields. Thanks for your research. :-)

Chuckc gravatar imageChuckc ( 2020-05-05 15:43:51 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-05-04 02:04:04 +0000

Seen: 586 times

Last updated: May 05 '20