Wireless sniffing on WRT3200ACM

Installing and Using OpenWrt
1

I've a LINKSYS WRT3200ACM router (openwrt techdata link)

There are three wireless interfaces:

  1. Marvell 88W8964 which supports 802.11n/ac
  2. Marvell 88W8964 which supports 802.11b/g/n
  3. Marvell 88W8887 802.11b/g/n/ac

I want to do the following:

  1. Set interface 1 as the Access Point and have a few devices associated with it.

  2. Use interface 3 to sniff packets transmitted/received by interface 1. Also, sniff packets from other Access Points/devices that co-exist on the same band/channel.

  3. Store the sniffed packet information to a device connected to my router over Ethernet.

  4. Decrypt the sniffed packet information. I want to have all the headers up to TCP (at least for the devices that are associated with the Access Point).

I'm new to openwrt and was wondering if there were any useful resources/tutorials/anything that already did something similar. I feel like this is something people should have done already. But its getting increasingly confusing for me (maybe due to my limited knowledge of openwrt)

I've tried a couple of things based on google searches and different forum discussions. Unfortunately, I haven't been able to achieve point 2.

Any help will be highly appreciated. Thanks a lot for your time.

2

simplify.

a) can you capture with interface 3 at all.
b) can you capture with other interfaces?

once you determine this, the rest is not so challenging.

3 
iw list

should indicate monitor mode support by phy2 if that is your intention; don't think it does though.

4

For users of your AP, you could just pcap the wlan interface directly. This will be outside of the WPA encryption. that is they are clear text.

To monitor packets between third parties, you need a monitor interface. It is possible to run a monitor and AP on the same radio. The monitor will copy packets sent by your radio as well as all packets received on the same channel regardless of whether or not they are intended for you (you can see other APs and their users). These packets are as they go on the air, that is encrypted.

5

iw list gives the following output. It seems phy 2 does not support monitor mode as you correctly pointed out.

Wiphy phy2
	max # scan SSIDs: 10
	max scan IEs length: 256 bytes
	max # sched scan SSIDs: 10
	max # match sets: 10
	max # scan plans: 1
	max scan plan interval: -1
	max scan plan iterations: 0
	Fragmentation threshold: 2346
	RTS threshold: 2347
	Retry short limit: 9
	Retry long limit: 4
	Coverage class: 0 (up to 0m)
	Device supports AP-side u-APSD.
	Device supports T-DLS.
	Available Antennas: TX 0x1 RX 0x1
	Configured Antennas: TX 0x1 RX 0x1
	Supported interface modes:
		 * IBSS
		 * managed
		 * AP
		 * P2P-client
		 * P2P-GO
	Band 1:
		Capabilities: 0x17f
			RX LDPC
			HT20/HT40
			SM Power Save disabled
			RX Greenfield
			RX HT20 SGI
			RX HT40 SGI
			RX STBC 1-stream
			Max AMSDU length: 3839 bytes
			No DSSS/CCK HT40
		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: No restriction (0x00)
		HT TX/RX MCS rate indexes supported: 0-7, 32
		VHT Capabilities (0x33c07130):
			Max MPDU length: 3895
			Supported Channel Width: neither 160 nor 80+80
			RX LDPC
			short GI (80 MHz)
			SU Beamformee
			+HTC-VHT
			RX antenna pattern consistency
			TX antenna pattern consistency
		VHT RX MCS set:
			1 streams: MCS 0-9
			2 streams: not supported
			3 streams: not supported
			4 streams: not supported
			5 streams: not supported
			6 streams: not supported
			7 streams: not supported
			8 streams: not supported
		VHT RX highest supported: 0 Mbps
		VHT TX MCS set:
			1 streams: MCS 0-9
			2 streams: not supported
			3 streams: not supported
			4 streams: not supported
			5 streams: not supported
			6 streams: not supported
			7 streams: not supported
			8 streams: not supported
		VHT TX highest supported: 0 Mbps
		Frequencies:
			* 2412 MHz [1] (30.0 dBm)
			* 2417 MHz [2] (30.0 dBm)
			* 2422 MHz [3] (30.0 dBm)
			* 2427 MHz [4] (30.0 dBm)
			* 2432 MHz [5] (30.0 dBm)
			* 2437 MHz [6] (30.0 dBm)
			* 2442 MHz [7] (30.0 dBm)
			* 2447 MHz [8] (30.0 dBm)
			* 2452 MHz [9] (30.0 dBm)
			* 2457 MHz [10] (30.0 dBm)
			* 2462 MHz [11] (30.0 dBm)
			* 2467 MHz [12] (disabled)
			* 2472 MHz [13] (disabled)
			* 2484 MHz [14] (disabled)
	Band 2:
		Capabilities: 0x17f
			RX LDPC
			HT20/HT40
			SM Power Save disabled
			RX Greenfield
			RX HT20 SGI
			RX HT40 SGI
			RX STBC 1-stream
			Max AMSDU length: 3839 bytes
			No DSSS/CCK HT40
		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: No restriction (0x00)
		HT TX/RX MCS rate indexes supported: 0-7, 32
		VHT Capabilities (0x33c07130):
			Max MPDU length: 3895
			Supported Channel Width: neither 160 nor 80+80
			RX LDPC
			short GI (80 MHz)
			SU Beamformee
			+HTC-VHT
			RX antenna pattern consistency
			TX antenna pattern consistency
		VHT RX MCS set:
			1 streams: MCS 0-9
			2 streams: not supported
			3 streams: not supported
			4 streams: not supported
			5 streams: not supported
			6 streams: not supported
			7 streams: not supported
			8 streams: not supported
		VHT RX highest supported: 0 Mbps
		VHT TX MCS set:
			1 streams: MCS 0-9
			2 streams: not supported
			3 streams: not supported
			4 streams: not supported
			5 streams: not supported
			6 streams: not supported
			7 streams: not supported
			8 streams: not supported
		VHT TX highest supported: 0 Mbps
		Frequencies:
			* 5040 MHz [8] (disabled)
			* 5060 MHz [12] (disabled)
			* 5080 MHz [16] (disabled)
			* 5170 MHz [34] (disabled)
			* 5190 MHz [38] (23.0 dBm)
			* 5210 MHz [42] (23.0 dBm)
			* 5230 MHz [46] (23.0 dBm)
			* 5180 MHz [36] (23.0 dBm)
			* 5200 MHz [40] (23.0 dBm)
			* 5220 MHz [44] (23.0 dBm)
			* 5240 MHz [48] (23.0 dBm)
			* 5260 MHz [52] (23.0 dBm) (no IR, radar detection)
			* 5280 MHz [56] (23.0 dBm) (no IR, radar detection)
			* 5300 MHz [60] (23.0 dBm) (no IR, radar detection)
			* 5320 MHz [64] (23.0 dBm) (no IR, radar detection)
			* 5500 MHz [100] (23.0 dBm) (no IR, radar detection)
			* 5520 MHz [104] (23.0 dBm) (no IR, radar detection)
			* 5540 MHz [108] (23.0 dBm) (no IR, radar detection)
			* 5560 MHz [112] (23.0 dBm) (no IR, radar detection)
			* 5580 MHz [116] (23.0 dBm) (no IR, radar detection)
			* 5600 MHz [120] (23.0 dBm) (no IR, radar detection)
			* 5620 MHz [124] (23.0 dBm) (no IR, radar detection)
			* 5640 MHz [128] (23.0 dBm) (no IR, radar detection)
			* 5660 MHz [132] (23.0 dBm) (no IR, radar detection)
			* 5680 MHz [136] (23.0 dBm) (no IR, radar detection)
			* 5700 MHz [140] (23.0 dBm) (no IR, radar detection)
			* 5745 MHz [149] (30.0 dBm)
			* 5765 MHz [153] (30.0 dBm)
			* 5785 MHz [157] (30.0 dBm)
			* 5805 MHz [161] (30.0 dBm)
			* 5825 MHz [165] (30.0 dBm)
	valid interface combinations:
		 * #{ managed, AP, P2P-client, P2P-GO } <= 3,
		   total <= 3, #channels <= 1, STA/AP BI must match, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz }

	Coalesce support:
		 * Maximum 8 coalesce rules supported
		 * Each rule contains upto 4 patterns of 1-40 bytes,
		   maximum packet offset 100 bytes
		 * Maximum supported coalescing delay 100 msecs
Wiphy phy1
	max # scan SSIDs: 4
	max scan IEs length: 2242 bytes
	max # sched scan SSIDs: 0
	max # match sets: 0
	max # scan plans: 1
	max scan plan interval: -1
	max scan plan iterations: 0
	Retry short limit: 7
	Retry long limit: 4
	Coverage class: 0 (up to 0m)
	Device supports T-DLS.
	Available Antennas: TX 0 RX 0
	Supported interface modes:
		 * managed
		 * AP
		 * AP/VLAN
		 * monitor
		 * mesh point
	Band 1:
		Capabilities: 0x186f
			RX LDPC
			HT20/HT40
			SM Power Save disabled
			RX HT20 SGI
			RX HT40 SGI
			No RX STBC
			Max AMSDU length: 7935 bytes
			DSSS/CCK HT40
		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: 4 usec (0x05)
		HT TX/RX MCS rate indexes supported: 0-23, 32
		VHT Capabilities (0x33837976):
			Max MPDU length: 11454
			Supported Channel Width: 160 MHz
			RX LDPC
			short GI (80 MHz)
			short GI (160/80+80 MHz)
			SU Beamformer
			SU Beamformee
			RX antenna pattern consistency
			TX antenna pattern consistency
		VHT RX MCS set:
			1 streams: MCS 0-9
			2 streams: MCS 0-9
			3 streams: MCS 0-9
			4 streams: not supported
			5 streams: not supported
			6 streams: not supported
			7 streams: not supported
			8 streams: not supported
		VHT RX highest supported: 0 Mbps
		VHT TX MCS set:
			1 streams: MCS 0-9
			2 streams: MCS 0-9
			3 streams: MCS 0-9
			4 streams: not supported
			5 streams: not supported
			6 streams: not supported
			7 streams: not supported
			8 streams: not supported
		VHT TX highest supported: 0 Mbps
		Frequencies:
			* 2412 MHz [1] (30.0 dBm)
			* 2417 MHz [2] (30.0 dBm)
			* 2422 MHz [3] (30.0 dBm)
			* 2427 MHz [4] (30.0 dBm)
			* 2432 MHz [5] (30.0 dBm)
			* 2437 MHz [6] (30.0 dBm)
			* 2442 MHz [7] (30.0 dBm)
			* 2447 MHz [8] (30.0 dBm)
			* 2452 MHz [9] (30.0 dBm)
			* 2457 MHz [10] (30.0 dBm)
			* 2462 MHz [11] (30.0 dBm)
			* 2467 MHz [12] (disabled)
			* 2472 MHz [13] (disabled)
			* 2484 MHz [14] (disabled)
	valid interface combinations:
		 * #{ AP } <= 16, #{ mesh point } <= 1, #{ managed } <= 1,
		   total <= 16, #channels <= 1, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 160 MHz }

	HT Capability overrides:
		 * MCS: ff ff ff ff ff ff ff ff ff ff
		 * maximum A-MSDU length
		 * supported channel width
		 * short GI for 40 MHz
		 * max A-MPDU length exponent
		 * min MPDU start spacing
Wiphy phy0
	max # scan SSIDs: 4
	max scan IEs length: 2247 bytes
	max # sched scan SSIDs: 0
	max # match sets: 0
	max # scan plans: 1
	max scan plan interval: -1
	max scan plan iterations: 0
	Retry short limit: 7
	Retry long limit: 4
	Coverage class: 0 (up to 0m)
	Device supports T-DLS.
	Available Antennas: TX 0 RX 0
	Supported interface modes:
		 * managed
		 * AP
		 * AP/VLAN
		 * monitor
		 * mesh point
	Band 2:
		Capabilities: 0x186f
			RX LDPC
			HT20/HT40
			SM Power Save disabled
			RX HT20 SGI
			RX HT40 SGI
			No RX STBC
			Max AMSDU length: 7935 bytes
			DSSS/CCK HT40
		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: 4 usec (0x05)
		HT TX/RX MCS rate indexes supported: 0-23, 32
		VHT Capabilities (0x33837976):
			Max MPDU length: 11454
			Supported Channel Width: 160 MHz
			RX LDPC
			short GI (80 MHz)
			short GI (160/80+80 MHz)
			SU Beamformer
			SU Beamformee
			RX antenna pattern consistency
			TX antenna pattern consistency
		VHT RX MCS set:
			1 streams: MCS 0-9
			2 streams: MCS 0-9
			3 streams: MCS 0-9
			4 streams: not supported
			5 streams: not supported
			6 streams: not supported
			7 streams: not supported
			8 streams: not supported
		VHT RX highest supported: 0 Mbps
		VHT TX MCS set:
			1 streams: MCS 0-9
			2 streams: MCS 0-9
			3 streams: MCS 0-9
			4 streams: not supported
			5 streams: not supported
			6 streams: not supported
			7 streams: not supported
			8 streams: not supported
		VHT TX highest supported: 0 Mbps
		Frequencies:
			* 5180 MHz [36] (23.0 dBm)
			* 5200 MHz [40] (23.0 dBm)
			* 5220 MHz [44] (23.0 dBm)
			* 5240 MHz [48] (23.0 dBm)
			* 5260 MHz [52] (23.0 dBm) (radar detection)
			* 5280 MHz [56] (23.0 dBm) (radar detection)
			* 5300 MHz [60] (23.0 dBm) (radar detection)
			* 5320 MHz [64] (23.0 dBm) (radar detection)
			* 5500 MHz [100] (23.0 dBm) (radar detection)
			* 5520 MHz [104] (23.0 dBm) (radar detection)
			* 5540 MHz [108] (23.0 dBm) (radar detection)
			* 5560 MHz [112] (23.0 dBm) (radar detection)
			* 5580 MHz [116] (23.0 dBm) (radar detection)
			* 5600 MHz [120] (23.0 dBm) (radar detection)
			* 5620 MHz [124] (23.0 dBm) (radar detection)
			* 5640 MHz [128] (23.0 dBm) (radar detection)
			* 5660 MHz [132] (23.0 dBm) (radar detection)
			* 5680 MHz [136] (23.0 dBm) (radar detection)
			* 5700 MHz [140] (23.0 dBm) (radar detection)
			* 5720 MHz [144] (23.0 dBm) (radar detection)
			* 5745 MHz [149] (30.0 dBm)
			* 5765 MHz [153] (30.0 dBm)
			* 5785 MHz [157] (30.0 dBm)
			* 5805 MHz [161] (30.0 dBm)
	valid interface combinations:
		 * #{ AP } <= 16, #{ mesh point } <= 1, #{ managed } <= 1,
		   total <= 16, #channels <= 1, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 160 MHz }

	HT Capability overrides:
		 * MCS: ff ff ff ff ff ff ff ff ff ff
		 * maximum A-MSDU length
		 * supported channel width
		 * short GI for 40 MHz
		 * max A-MPDU length exponent
		 * min MPDU start spacing
6

I've the following follow-up question:

Are "Marvell 88W8964 which supports 802.11n/ac" and "Marvell 88W8964 which supports 802.11b/g/n" two different transceivers or are they the same for two different bands/modes, etc? The number 88W8964 seems to be the same for both so I thought they were the same transceiver. If they are different can I set one of them as AP and the other as monitor?

7

Thanks for your reply. Is there any way to decrypt those packets? I was wondering if there were any standard tools that did the whole thing: capture, store, decrypt.

8

Thanks for your reply. Running iw list shows that interface 3 does not support monitor mode. But interface 1 and 2 do. But the number of interface 1 and 2 are the same: 88W8964. I was wondering if you knew if these are different radios or just one radio with different modes/capabilities/bands.

9

The WRT3200ACM comes with three different/ independent WLAN cards.

  • one PCIe attached 88W8964 card, exclusively able to handle the 2.4 GHz band (PHY and rf amplifier limitations)
  • one PCIe attached 88W8964 card, exlusively tuned to the 5 GHz band (PHY and rf amplifier limitations).
  • one SDIO connected 88W8887 card, this card is able to either tune into the 2.4 GHz band XOR the 5 GHz band - but it's slower than the 88W8964 cards and originally not meant to be used as actual wlan card (or AP), instead only meant for passive sniffing for DFS events in the 5 GHz band.
10

Thanks for your reply. Really appreciate you taking the time.

Can the 88W8887 card perform passive sniffing without having a monitor mode capability?

Also, let's say that I were to do this using a different router, is there any good open source router which has 802.11ac support on it?

11

Listening for DFS events and doing regular channels sweeps is not the same as packet logging/ monitor mode.