Explanation for Difference in WLAN Captures

asked 2018-12-19 00:14:47 +0000

jakey239 gravatar image

updated 2018-12-19 00:38:02 +0000

Hi all,

I have two devices set in monitor mode connected to my laptop and I am running Wireshark simultaneously on both interfaces. On one I can only see probe requests every now and again, and null data packets <10pps. On the other one I am getting tons more packets at a much higher rate e.g. beacon frames, probe requests, responses, data, CTS/RTS, etc. Can anyone explain why I would be seeing so little on one and so much more on the other even though the two devices are inches apart?

iw dev
phy#2
    Interface wlx00e04c1f8b5f
        ifindex 8
        wdev 0x200000001
        addr 00:e0:4c:1f:8b:5f
        type monitor
        txpower 12.00 dBm
phy#0
    Interface mon0
        ifindex 10
        wdev 0x2
        addr 24:77:03:7e:0b:60
        type monitor
        txpower 15.00 dBm
    Interface wlp3s0
        ifindex 4
        wdev 0x1
        addr 24:77:03:7e:0b:60
        ssid TALKTALK6F4763
        type managed
        channel 11 (2462 MHz), width: 20 MHz, center1: 2462 MHz
        txpower 15.00 dBm

phy#0 is the Intel chip built into my Thinkpad: 03:00.0 Network controller: Intel Corporation Centrino Ultimate-N 6300 (rev 3e)

phy#2 is the Realtek chip in an external USB device: Bus 002 Device 003: ID 0bda:c811 Realtek Semiconductor Corp.

USB WiFi 802.11ac Device on Amazon

I can't attach the captures since I don't have enough points, if anyone could shed some light on this it would be greatly appreciated. I am inclined to think that the Realtek USB device just isn't as capable/fast as the Intel one, but I wouldn't have expected such a discrepancy. It could also be a driver issue, I have used this driver on Github and enabled monitor mode in the Makefile.

Cheers, Jake

edit retag flag offensive close merge delete

Comments

Are they on the same channel? The built in device probably has better antennas than the USB device; that will account for some difference. I can't tell if what you see is normal because I can't see it, i.e. there are no traces to compare.

You are also using one interface at the same as capturing in Monitor Mode; that usually gives somewhat unusual results.

I don't know the specific driver you are using, but some of the other ones on Github for the Realtek stuff are hit and miss; lately, the results have been pretty good.

Bob Jones gravatar imageBob Jones ( 2018-12-19 00:30:56 +0000 )edit

Thanks for the reply. Yes, I have them on the same channel, what worries me is that I can't even see beacons with the USB device, it's pretty much just probe requests whereas the other device captures so much more. The driver from Github is actually Realtek's code that was supplied on a CD with the device, I have the same code on a CD here, but the legwork of organising the code was done on the Git repo. I would have thought Realtek would have written a decent driver, but I could be wrong.

jakey239 gravatar imagejakey239 ( 2018-12-19 00:37:10 +0000 )edit

I have added the captures on Dropbox

jakey239 gravatar imagejakey239 ( 2018-12-19 00:43:00 +0000 )edit

Doesn't look like wlx is on the same channel as mon0. Did you disable the NetworkManager for this interface? Or, disable NetworkManager all together, put both in monitor mode, set the channel, then capture at the same time (Wireshark will allow multiple interfaces to be captured at the same time).

Bob Jones gravatar imageBob Jones ( 2018-12-19 12:11:47 +0000 )edit
add a comment