Tom Jones

Fortnightly Transport Call Meeting Notes

IPv6 TODO

Email: <thj AT SPAMFREE freebsd DOT org>

Hacking Notes

Loader

building: 

make buildenv
make -C stand

pcie pass through

The old method for having ppt pick up devices is with loader.conf like:

Instead we can use devctl which will take a device name or a path. If we detach we need to use a fuller device path. I.e.: 

sudo devctl detach xhci0
sudo devctl set driver pci0:0:20:0 ppt

Wireless

Some handy wireshark expressions:

probe 

    request and response
        (wlan.sa == e4:5e:37:dc:12:6b  or wlan.ra == e4:5e:37:dc:12:6b ) and (wlan.fc.type_subtype == 0x0004 or wlan.fc.type_subtype == 0x0005)
assoc
    request and response
        (wlan.sa == e4:5e:37:dc:12:6b  or wlan.ra == e4:5e:37:dc:12:6b ) and (wlan.fc.type_subtype == 0x0004 or wlan.fc.type_subtype == 0x0005)

The in operator makes it easier to compare with a list.

wlan.fc.type_subtype in {0x0000, 0x0001, 0x0004, 0x0005}

        (wlan.sa == e4:5e:37:dc:12:6b  or wlan.ra == e4:5e:37:dc:12:6b )

Decrypting wpa with tshark 

sudo tcpdump -i wlan1 -y IEEE802_11_RADIO
sudo tshark -i wlan1 -I -V  -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-pwd\",\"{ieee80211}:{fw-enc}\""
sudo tshark -i wlan1 -I -V  -o wlan.enable_decryption:TRUE -o 'uat:80211_keys:"wpa-pwd","{ieee80211}:{fw-enc}"' -Y 'wlan.sa == e4:5e:37:dc:12:6b  or wlan.ra == e4:5e:37:dc:12:6b'

Streaming from the air interface on an OpenWRT router

on the openwrt side we need: 

        root@OpenWrt:~# tcpdump -i phy0-mon0 --immediate-mode -U -w - | nc -l -p 19000

We can filter for the gl.inet router with: 

        root@OpenWrt:~# tcpdump -i phy0-mon0 --immediate-mode -U ether host 94:83:c4:98:ab:f2 or ether host e4:5e:37:dc:12:6b -w - | nc -l -p 19000
or for a specific pair of hosts:
        tcpdump -i phy0-mon0 --immediate-mode -U ether host 94:83:c4:98:ab:f2 or ether host e4:5e:37:dc:12:6b or type ctl subtype ack -w - | nc -l -p 19000

as a script: 

        staeth="ether 94:83:c4:98:ab:f2"
        apeth="ether host e4:5e:37:dc:12:6b"
        ack="type ctl subtype ack"
        beacon="subtype beacon"

        tcpdump -i phy0-mon0 --immediate-mode -U -w - \
                "($staeth or $apeth or $ack) and (not $beacon)" | nc -l -p 19000

Wireshark can now connect to my remote host (192.168.4.34 as an example): 

        $ wireshark -k -i TCP@192.168.4.164:19000

CategoryHomepage

TomJones (last edited 2025-03-10T09:53:01+0000 by TomJones)